Access Control Lists (ACLs) Purpose –To grant other users permission to access/modify files and/or...
-
date post
21-Dec-2015 -
Category
Documents
-
view
222 -
download
0
Transcript of Access Control Lists (ACLs) Purpose –To grant other users permission to access/modify files and/or...
Access Control Lists (ACLs)
• Purpose– To grant other users permission to
access/modify files and/or directories– To deny access to the files/directories to the rest
of the world
To grant permission: setfacl
• Note: Must be logged into ub for setfacl to work.
• Setfacl needs access to a password file to give access to a certain user.
• If logged onto CSdev machines, setfacl looks in the local password file and fails to find the user.
The setfacl command
• For granting a user read permission for a file, the entry looks like
• user:jtorgers:r--
• This only works if the mask entry allows it.
The mask entry• Makes it easy to turn off/on permission
simultaneously for multiple users• The effective permission is the AND operation
applied to the user entry and mask entry• If user entry is r-- and mask is rw-, effective
permission is r--• If user entry is r-- and mask is ---, effective
permission is --- (no permission)
Setfacl for directories
• Using setfacl to set permissions for a directory causes all files and directories in that directory to have the same permissions as that directory.
Viewing current permissions: getfacl
• getfacl filename
• shows:– owner of file– permissions for user, group, other– all users who have access– mask entry– effective permissions– default permissions
Permission for a file
• grants user jtorgers read permission for file test2
ub.d.umn.edu14% setfacl -m u:jtorgers:r-- test2
(-m means modify)
Current permissions for a file
ub.d.umn.edu3% getfacl test2
# file: test2# owner: kvanhorn# group: studentuser::rw-user:jtorgers:r-- #effective:---group::--- #effective:---mask:---other:---
Need to set mask entry in order for read permissions to be effective
Mask entry for file permission
• Effective permission for jtorgers is now r--
ub.d.umn.edu14% setfacl -m m:r-- test2
File permissions
ub.d.umn.edu5% getfacl test2
# file: test2# owner: kvanhorn# group: studentuser::rw-user:jtorgers:r-- #effective:r--group::--- #effective:---mask:r--other:---
Permissions for a directory
• Grant user jtorgers access to directory test2dir
• Since mask is not set, effective permissions will still be ---
ub.d.umn.edu14% setfacl -m u:jtorgers:rwx test2dir
Permissions for a directory
ub.d.umn.edu7% getfacl test2dir
# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:---group::--- #effective:---mask:---other:---
Mask entry for a directory
• Now jtorgers can access directory test2dir
ub.d.umn.edu14% setfacl -m m:rwx test2dir
Permissions for a directory
ub.d.umn.edu9% getfacl test2dir
# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:rwxgroup::--- #effective:---mask:rwxother:---
Setting defaults for a directory
• Sets defaults for all files and directories created in test2dir in the future
• All 4 defaults must be set here (user, group, other, mask)
ub.d.umn.edu10% setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx test2dir
Defaults for a directoryub.d.umn.edu11% getfacl test2dir
# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:rwxgroup::--- #effective:---mask:rwxother:---default:user::rwxdefault:group::---default:mask:rwxdefault:other:---
Set permissions for another user
• jtorgers is now able to create files in the directory test2dir
ub.d.umn.edu12% setfacl -m d:u:jtorgers:rwx test2dir
Permissions for another userub.d.umn.edu13% getfacl test2dir
# file: test2dir# owner: kvanhorn# group: studentuser::rwxuser:jtorgers:rwx #effective:rwxgroup::--- #effective:---mask:rwxother:---default:user::rwxdefault:user:jtorgers:rwxdefault:group::---default:mask:rwxdefault:other:---
Accessing another user’s files
• jtorgers can log in and go to kvanhorn’s test2dir and create a file called “stuff”
• However, jtorgers must grant kvanhorn permission to access the file “stuff”
ub.d.umn.edu14% setfacl -m u:kvanhorn:rw- stuff
Note: the mask default was already set
Restoring permissions for a modified file
• If jtorgers uses emacs to modify and save her own file “stuff”, the ACLs of the new version will be different
• kvanhorn will not have access to “stuff”, but kvanhorn can still access the old version of “stuff” which is now “stuff~”
• ACLs of “stuff” can be restored by
ub.d.umn.edu14% getfacl stuff~ | setfacl -f - stuff
Changing the way files are saved
• Can redefine the way files are saved so a previous version “stuff~” isn’t created
• The ACLs for the newly modified version will remain the same as before
• Add the following lines to .emacs:
(fset 'my-save "\C-[0\C-[xsave-buffer\C-m")
(global-set-key "\C-x\C-s" 'my-save)
Avoiding the need for restoring files
• Divide the project tasks among team members so each person works on different files.
• Only share directories to make and run programs.
Avoiding concurrent writing to files
• In emacs, if user tries to open a file currently being modified by someone else, emacs states that a process of the file is running somewhere else, then asks the user if they want to “steal” the file.
• Simple solution: don’t!!• Better method for avoiding concurrent
writing: RCS