Setting ACLs on files in a directory

This document is a short demo to show how you can allow a specified user read-only access and another specified user read-write access even if neither are the owner and group who owns the file/directory.

EXAMPLE

Directory '/robotics' on server 'projects', requirement is to provide access as follows:-

   user robro read-only
user robrw read-write

PROCEDURE

  • Create read-only groups and users:
    # useradd -d /export/home/robro -c 'Robotics Read-Only' -s /usr/bin/ksh -g robro robro
    # useradd -d /export/home/robrw -c 'Robotics Read-Write' -s /usr/bin/ksh -g robrw robrw
    # mkdir /export/home/robro
    # chown robro:robro /export/home/robro
    # chmod 750 ~robro
    # mkdir /export/home/robrw
    # chown robrw:robrw /export/home/robrw
    # chmod 750 ~robrw
  • Setup ACLs on files and directories
    To setup ACLS on all files and directories from /robotics to allow user robro read-only and robrw read-write:
    # find /robotics ! -type d -exec setfacl -m user:robro:r--,user:robrw:rw-,mask:rwx {} \;
    # find /robotics -type d -exec setfacl -m user:robro:r-x,user:robrw:rwx,mask:rwx {} \;
  • Set default ACLs on directories from /robotics
    To allow user robro read-only and robrw read-write on any directories or files which are subsequently created or copied into any of the directories from /robotics down:
    # find /robotics -type d -exec setfacl -m
    default:user::rwx,default:group::rwx,default:other:---,default:user:robro:r--,default:user:robrw:rw-,default:mask:rwx {} \;
  • To remove all ACLS in a directory tree, you can use a simple script similar o the following:
    #!/usr/bin/ksh
    # Remove ACL on all files from find by setting the ACL to be the current user
    # group and other permissions only
    if [ $# -ne 1 ]
    then
       exit
    else
       DIR=$1
    fi
    
    for f in `find ${DIR} -print
    do
       getfacl ${f} | egrep '^user::|^group::|^other:' | awk '{print $1}' | setfacl -f - ${f}
    done

    NOTES

    • File and directory ACLs are copied by standard file commands - cp, mv
    • ACLs are backed up by Solstice Backup/Legato NetWorker and ufsdump.
    • ACLs are *not* backed up by tar, cpio, rcp or pax commands.
    • ACLs are stored only by ufs filesystems and NFS mounts of ufs filesystems, so if a file is copied to /tmp (tmpfs filesystem) the ACL information is lost

    However, default ACLs on the directory the file was copied from will be applied to it if the file is copied back in. So, if you do

    cp /mydir/myfile /tmp
    vi /tmp/myfile
    cp /tmp/myfile /mydir Then myfile should be re-secured OK