Setting ACLs on files in a directory
This document is a short demo to show how you can allow a specified user read-only access and another specified user read-write access even if neither are the owner and group who owns the file/directory.
EXAMPLE
Directory '/robotics' on server 'projects', requirement is to provide access as follows:-
user robro read-only user robrw read-write
PROCEDURE
- Create read-only groups and users:
# useradd -d /export/home/robro -c 'Robotics Read-Only' -s /usr/bin/ksh -g robro robro # useradd -d /export/home/robrw -c 'Robotics Read-Write' -s /usr/bin/ksh -g robrw robrw # mkdir /export/home/robro # chown robro:robro /export/home/robro # chmod 750 ~robro # mkdir /export/home/robrw # chown robrw:robrw /export/home/robrw # chmod 750 ~robrw
- Setup ACLs on files and directories
To setup ACLS on all files and directories from /robotics to allow user robro read-only and robrw read-write:
# find /robotics ! -type d -exec setfacl -m user:robro:r--,user:robrw:rw-,mask:rwx {} \; # find /robotics -type d -exec setfacl -m user:robro:r-x,user:robrw:rwx,mask:rwx {} \;
- Set default ACLs on directories from /robotics
To allow user robro read-only and robrw read-write on any directories or files which are subsequently created or copied into any of the directories from /robotics down:
# find /robotics -type d -exec setfacl -m default:user::rwx,default:group::rwx,default:other:---,default:user:robro:r--,default:user:robrw:rw-,default:mask:rwx {} \;
- To remove all ACLS in a directory tree, you can use a simple script similar o the following:
#!/usr/bin/ksh # Remove ACL on all files from find by setting the ACL to be the current user # group and other permissions only if [ $# -ne 1 ] then exit else DIR=$1 fi for f in `find ${DIR} -print do getfacl ${f} | egrep '^user::|^group::|^other:' | awk '{print $1}' | setfacl -f - ${f} done
NOTES
- File and directory ACLs are copied by standard file commands - cp, mv
- ACLs are backed up by Solstice Backup/Legato NetWorker and ufsdump.
- ACLs are *not* backed up by tar, cpio, rcp or pax commands.
- ACLs are stored only by ufs filesystems and NFS mounts of ufs filesystems, so if a file is copied to /tmp (tmpfs filesystem) the ACL information is lost
However, default ACLs on the directory the file was copied from will be applied to it if the file is copied back in. So, if you do
cp /mydir/myfile /tmp vi /tmp/myfile cp /tmp/myfile /mydir Then myfile should be re-secured OK