Tip

Access control lists: Creating an efficient Linux file server with default permissions

WithUnix permissions dating back to the early 1970s, standard Linux file permissions are largely insufficient for the needs of a modern file server. You can improve your system by learning how to create an efficient Linux-based file server using access control lists (ACLs).

One limitation of the standard Linux permission system is that only one user and one group can be granted rights to a file or directory at one time. Further, with the default Linux permission scheme, there is no way to set default permissions on new files. To overcome these constraints, you can use Linux access control lists. All modern Linux file systems offer support for ACLs. Samba also supports it, which makes it easy to set up an environment in which the Samba administrator manages Linux permissions on Samba -- even while using Windows utilities. In this tip, we'll discuss how to set up an environment in which more than one user or group can be granted permissions to one file or directory.

First, a few definitions are needed. The following discussion uses the conventions trustee and file. A trustee is a user or a group that has been granted rights to a file or a directory. Unless stated explicitly otherwise, a file refers to both files and directories.

Here is a simple example that you might encounter on a typical file server. We have a directory with the name /groups/sales. This directory is to be owned by the group sales and every file created in this directory

    Requires Free Membership to View

should have the group sales as its default owner. Also, in new files, read and write permissions should be set automatically, regardless of the current unmask setting. Also, the directory members of the group account should have read-only permissions. To do this, follow this ACL procedure:

  1. Make sure that you have root permissions when applying the steps from this procedure. Also make sure that you are working on an ext3 or ReiserFS file system that has the ACL option set.
  2. Use the mkdir -p /groups/sales command to create the directory where you want to apply ACLs.
  3. Use the groupadd sales and groupadd account commands to create the sales and account groups.
  4. Make sure that the group sales is owner of the directory/groups/sales by using chown sales/groups/sales.
  5. Use normal Linux permissions to grant all permissions to the group owner: chmod 770 /groups/sales.
  6. Use ls -ld /groups/sales to check the current permission setting. This displays a line that looks like the following:


  7. BTN:~ # ls -ld /groups/sales drwxrwx--- 2 root root 4096 Oct 1 13:11 /groups/sales

  8. To ensure that all new files in the directory/groups/sales are owned by the group sales and that members of this group have read and write permissions to these files, you need a default ACL. But first you need to use chgrp to make sales the group owner of the directory/groups/sales: chgrp sales sales. The following command sets the default ACL to the directory sales:


  9. setfacl -d -m g:sales:rw /groups/sales

  10. Now use the getfacl command to check the new permission setting on the directory/groups/sales:


  11. BTN:~ # getfacl /groups/sales getfacl: Removing leading '/' from absolute path names # file: groups/sales # owner: root # group: root user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:sales:rw- default:mask::rwx default:other::---

  12. If you create a new file in /groups/sales, you'll see that the default ACL doesn't accomplish all our goals. You do get read and write permissions for the group automatically on all new files in the subdirectory, but you don't get the right group owner. To make sure this happens, we need to set the Set Group ID (SGID) permission: chmod g+s /groups/sales.
  13. Now when you create a new file in /groups/sales, you'll see that it makes the group sales as its group owner and the read and write permissions are set automatically.
  14. We're almost there. In the following step, you need to apply another ACL that grants read access to members of the directory account. To do so, use setfacl -d -m g:account:r /groups/sales. This completes the job, use the getfacl command to check that it worked:


  15. BTN:/groups/sales # getfacl /groups/sales # file: . # owner: root # group: sales user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:sales:rw- default:group:account:r-- default:mask::rwx default:other::---

Summary

Applying ACLs faciliates file permissions management on a Linux file server. Using these techniques, you can create a well-secured Linux file server. ACLs also allow you to easily manage rights on a Samba server too, which we'll discuss in a future article.

About the author: Sander van Vugt is an author and independent technical trainer, specializing in Linux. Vugt is also a technical consultant for high-availability clustering and performance optimization and an expert on SUSE Linux Enterprise Desktop 10 (SLED 10) administration.

This was first published in October 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.