Access Control Lists (ACLs)

• Purpose– To grant other users permission to

access/modify files and/or directories– To deny access to the files/directories to the rest

of the world

To grant permission: setfacl

• Note: Must be logged into ub for setfacl to work.

• Setfacl needs access to a password file to give access to a certain user.

• If logged onto CSdev machines, setfacl looks in the local password file and fails to find the user.

The setfacl command

• For granting a user read permission for a file, the entry looks like

• user:jtorgers:r--

• This only works if the mask entry allows it.

The mask entry• Makes it easy to turn off/on permission

simultaneously for multiple users• The effective permission is the AND operation

applied to the user entry and mask entry• If user entry is r-- and mask is rw-, effective

permission is r--• If user entry is r-- and mask is ---, effective

permission is --- (no permission)

Setfacl for directories

• Using setfacl to set permissions for a directory causes all files and directories in that directory to have the same permissions as that directory.

Viewing current permissions: getfacl

• getfacl filename

• shows:– owner of file– permissions for user, group, other– all users who have access– mask entry– effective permissions– default permissions

Permission for a file

• grants user jtorgers read permission for file test2

ub.d.umn.edu14% setfacl -m u:jtorgers:r-- test2

(-m means modify)

Current permissions for a file

ub.d.umn.edu3% getfacl test2

# file: test2# owner: kvanhorn# group: studentuser::rw-user:jtorgers:r-- #effective:---group::--- #effective:---mask:---other:---

Need to set mask entry in order for read permissions to be effective

Mask entry for file permission

• Effective permission for jtorgers is now r--

ub.d.umn.edu14% setfacl -m m:r-- test2

File permissions

ub.d.umn.edu5% getfacl test2

# file: test2# owner: kvanhorn# group: studentuser::rw-user:jtorgers:r-- #effective:r--group::--- #effective:---mask:r--other:---

Permissions for a directory

• Grant user jtorgers access to directory test2dir

• Since mask is not set, effective permissions will still be ---

ub.d.umn.edu14% setfacl -m u:jtorgers:rwx test2dir

Permissions for a directory

ub.d.umn.edu7% getfacl test2dir

# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:---group::--- #effective:---mask:---other:---

Mask entry for a directory

• Now jtorgers can access directory test2dir

ub.d.umn.edu14% setfacl -m m:rwx test2dir

Permissions for a directory

ub.d.umn.edu9% getfacl test2dir

# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:rwxgroup::--- #effective:---mask:rwxother:---

Setting defaults for a directory

• Sets defaults for all files and directories created in test2dir in the future

• All 4 defaults must be set here (user, group, other, mask)

ub.d.umn.edu10% setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx test2dir

Defaults for a directoryub.d.umn.edu11% getfacl test2dir

# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:rwxgroup::--- #effective:---mask:rwxother:---default:user::rwxdefault:group::---default:mask:rwxdefault:other:---

Set permissions for another user

• jtorgers is now able to create files in the directory test2dir

ub.d.umn.edu12% setfacl -m d:u:jtorgers:rwx test2dir

Permissions for another userub.d.umn.edu13% getfacl test2dir

# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:rwxgroup::--- #effective:---mask:rwxother:---default:user::rwxdefault:user:jtorgers:rwxdefault:group::---default:mask:rwxdefault:other:---

Accessing another user’s files

• jtorgers can log in and go to kvanhorn’s test2dir and create a file called “stuff”

• However, jtorgers must grant kvanhorn permission to access the file “stuff”

ub.d.umn.edu14% setfacl -m u:kvanhorn:rw- stuff

Note: the mask default was already set

Restoring permissions for a modified file

• If jtorgers uses emacs to modify and save her own file “stuff”, the ACLs of the new version will be different

• kvanhorn will not have access to “stuff”, but kvanhorn can still access the old version of “stuff” which is now “stuff~”

• ACLs of “stuff” can be restored by

ub.d.umn.edu14% getfacl stuff~ | setfacl -f - stuff

Changing the way files are saved

• Can redefine the way files are saved so a previous version “stuff~” isn’t created

• The ACLs for the newly modified version will remain the same as before

• Add the following lines to .emacs:

(fset 'my-save "\C-[0\C-[xsave-buffer\C-m")

(global-set-key "\C-x\C-s" 'my-save)

Avoiding the need for restoring files

• Divide the project tasks among team members so each person works on different files.

• Only share directories to make and run programs.

Avoiding concurrent writing to files

• In emacs, if user tries to open a file currently being modified by someone else, emacs states that a process of the file is running somewhere else, then asks the user if they want to “steal” the file.

• Simple solution: don’t!!• Better method for avoiding concurrent

writing: RCS