WithUnix permissions dating back to the early 1970s, standard Linux file permissions are largely insufficient for the needs of a modern file server. You can improve your system by learning how to create an efficient Linux-based file server using access control lists (ACLs).
One limitation of the standard Linux permission system is that only one user and one group can be granted rights to a file or directory at one time. Further, with the default Linux permission scheme, there is no way to set default permissions on new files. To overcome these constraints, you can use Linux access control lists. All modern Linux file systems offer support for ACLs. Samba also supports it, which makes it easy to set up an environment in which the Samba administrator manages Linux permissions on Samba -- even while using Windows utilities. In this tip, we'll discuss how to set up an environment in which more than one user or group can be granted permissions to one file or directory.
First, a few definitions are needed. The following discussion uses the conventions trustee and file. A trustee is a user or a group that has been granted rights to a file or a directory. Unless stated explicitly otherwise, a file refers to both files and directories.
Here is a simple example that you might encounter on a typical file server. We have a directory with the name /groups/sales. This directory is to be owned by the group sales and every file created in this directory
- Make sure that you have root permissions when applying the steps from this procedure. Also make sure that you are working on an ext3 or ReiserFS file system that has the ACL option set.
- Use the mkdir -p /groups/sales command to create the directory where you want to apply ACLs.
- Use the groupadd sales and groupadd account commands to create the sales and account groups.
- Make sure that the group sales is owner of the directory/groups/sales by using chown sales/groups/sales.
- Use normal Linux permissions to grant all permissions to the group owner: chmod 770 /groups/sales.
- Use ls -ld /groups/sales to check the current permission setting. This displays a line that looks like the following:
- To ensure that all new files in the directory/groups/sales are owned by the group sales and that members of this group have read and write permissions to these files, you need a default ACL. But first you need to use chgrp to make sales the group owner of the directory/groups/sales: chgrp sales sales. The following command sets the default ACL to the directory sales:
- Now use the getfacl command to check the new permission setting on the directory/groups/sales:
- If you create a new file in /groups/sales, you'll see that the default ACL doesn't accomplish all our goals. You do get read and write permissions for the group automatically on all new files in the subdirectory, but you don't get the right group owner. To make sure this happens, we need to set the Set Group ID (SGID) permission: chmod g+s /groups/sales.
- Now when you create a new file in /groups/sales, you'll see that it makes the group sales as its group owner and the read and write permissions are set automatically.
- We're almost there. In the following step, you need to apply another ACL that grants read access to members of the directory account. To do so, use setfacl -d -m g:account:r /groups/sales. This completes the job, use the getfacl command to check that it worked:
BTN:~ # ls -ld /groups/sales drwxrwx--- 2 root root 4096 Oct 1 13:11 /groups/sales
setfacl -d -m g:sales:rw /groups/sales
BTN:~ # getfacl /groups/sales getfacl: Removing leading '/' from absolute path names # file: groups/sales # owner: root # group: root user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:sales:rw- default:mask::rwx default:other::---
BTN:/groups/sales # getfacl /groups/sales # file: . # owner: root # group: sales user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:sales:rw- default:group:account:r-- default:mask::rwx default:other::---
Applying ACLs faciliates file permissions management on a Linux file server. Using these techniques, you can create a well-secured Linux file server. ACLs also allow you to easily manage rights on a Samba server too, which we'll discuss in a future article.About the author: Sander van Vugt is an author and independent technical trainer, specializing in Linux. Vugt is also a technical consultant for high-availability clustering and performance optimization and an expert on SUSE Linux Enterprise Desktop 10 (SLED 10) administration.
This was first published in October 2007