Access control lists: Creating an efficient Linux file server with default permissions

WithUnix permissions dating back to the early 1970s, standard Linux file permissions are largely insufficient for the needs of a modern file server. You can improve your system by learning how to create an efficient Linux-based file server using access control lists (ACLs).

One limitation of the standard Linux permission system is that only one user and one group can be granted rights to a file or directory at one time. Further, with the default Linux permission scheme, there is no way to set default permissions on new files. To overcome these constraints, you can use Linux access control lists. All modern Linux file systems offer support for ACLs. Samba also supports it, which makes it easy to set up an environment in which the Samba administrator manages Linux permissions on Samba -- even while using Windows utilities. In this tip, we'll discuss how to set up an environment in which more than one user or group can be granted permissions to one file or directory.

First, a few definitions are needed. The following discussion uses the conventions trustee and file. A trustee is a user or a group that has been granted rights to a file or a directory. Unless stated explicitly otherwise, a file refers to both files and directories.

Here is a simple example that you might encounter on a typical file server. We have a directory with the name /groups/sales. This directory is to be owned by the group sales and every file created in this directory should have the group sales as its default owner. Also, in new files, read and write permissions should be set automatically, regardless of the current unmask setting. Also, the directory members of the group account should have read-only permissions. To do this, follow this ACL procedure:

1. Make sure that you have root permissions when applying the steps from this procedure. Also make sure that you are working on an ext3 or ReiserFS file system that has the ACL option set.
2. Use the mkdir -p /groups/sales command to create the directory where you want to apply ACLs.
3. Use the groupadd sales and groupadd account commands to create the sales and account groups.
4. Make sure that the group sales is owner of the directory/groups/sales by using chown sales/groups/sales.
5. Use normal Linux permissions to grant all permissions to the group owner: chmod 770 /groups/sales.
6. Use ls -ld /groups/sales to check the current permission setting. This displays a line that looks like the following:





7. To ensure that all new files in the directory/groups/sales are owned by the group sales and that members of this group have read and write permissions to these files, you need a default ACL. But first you need to use chgrp to make sales the group owner of the directory/groups/sales: chgrp sales sales. The following command sets the default ACL to the directory sales:





8. Now use the getfacl command to check the new ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchEnterpriseLinux.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchEnterpriseLinux.com

   As an existing member of the TechTarget network please activate your SearchEnterpriseLinux.com account 

   By joining SearchEnterpriseLinux.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   permission setting on the directory/groups/sales:





9. If you create a new file in /groups/sales, you'll see that the default ACL doesn't accomplish all our goals. You do get read and write permissions for the group automatically on all new files in the subdirectory, but you don't get the right group owner. To make sure this happens, we need to set the Set Group ID (SGID) permission: chmod g+s /groups/sales.
10. Now when you create a new file in /groups/sales, you'll see that it makes the group sales as its group owner and the read and write permissions are set automatically.
11. We're almost there. In the following step, you need to apply another ACL that grants read access to members of the directory account. To do so, use setfacl -d -m g:account:r /groups/sales. This completes the job, use the getfacl command to check that it worked:

Applying ACLs faciliates file permissions management on a Linux file server. Using these techniques, you can create a well-secured Linux file server. ACLs also allow you to easily manage rights on a Samba server too, which we'll discuss in a future article.