Access control lists (ACLs) are tools for managing permissions within a file system by giving users and groups read, write, and/or execute permissions on files or directories outside of the traditional UNIX permissions. The UNIX permissions for managing files on GLADE remain in effect, but ACLs can be used to facilitate short-term file sharing among users who cannot be put in the same UNIX group.
In the Cheyenne/GLADE environment, the most common use cases are:
Following are examples of how to create an ACL that allows other individuals and groups to work with your files, and how to propagate permissions to new files and directories. To create and manage ACLs on the Campaign Storage file system, log in to Casper or the data-access nodes rather than Cheyenne.
Create and view an access control listUse the setfacl command with the --modify option to give an individual user access to a file or directory that you own. In this example, user shiquan is sharing a file with user bjsmith. Listing the file before and after creating the ACL shows how the file permissions changed.
The + as the last character in the permissions string indicates that an ACL exists for the directory. About execute flags: X vs. xWhen setting permissions, the execute flag can be set to upper-case X, which differs from the lower-case x setting. The X permission allows execution only if the target is a directory or if the execute permission has already been set for the user or group. It is useful in the case of handling directory trees recursively. Run getfacl as shown here to view any ACLs applied to a file or directory.
The output will look something like this, illustrating in this case that one user's permissions (rwx) are different from other users' permissions (rw-).
Give access to a groupTo give an existing group access to a file or directory, use setfacl as shown here. In this example, the name of the group being given read/write/execute permissions is csg.
Run getfacl to see the resulting ACL.
Use default ACLs to propagate permissionsACLs can be set to propagate permissions to files and subdirectories as they are created. This is done using default ACLs. In this example, a new directory is accessible only to the user who created it.
To enable another user to read and navigate into the directory, follow this example.
To set the directory's default ACL so that any new files or subdirectories automatically have those same permissions, use the setfacl command as shown here.
The + as the last character in the permissions string indicates that an ACL exists for the directory. Run getfacl to see the resulting ACL and the default ACLs.
Default permissions for a specified userACLs for a specified user or group are independent of default ACLs. The next example illustrates how to modify a default ACL to set default permissions for a specified user.
The directory now has a default ACL that will make any new file in the directory accessible to the designated user with the specified permissions (rwx). Here is an example of a new file created in that directory.
Most users in the group get rw- permission. However, as a result of the default ACL behavior established above, user bjsmith's permissions are different (rwx). The following getfacl output with the comment "#effective:rw-" shows the difference.
Remove an access control listTo remove all ACLs from a file, run setfacl --remove-all followed by the filename.
To remove selected permissions previously set for a user, run setfacl -x as shown here.
Advanced use of ACLsUsers often have different default umask settings that can conflict with a file or directory ACL. The following example sets an ACL for a directory and all of its files and subdirectories, and it also sets the default ACL for any future files and subdirectories, ensuring the directory is protected from unknown umask settings.
Note that there are two clauses in this example.
Execute flags: X vs. xWhen setting permissions, the execute flag can be set to upper-case X, which differs from the lower-case x setting. The X permission allows execution only if the target is a directory or if the execute permission has already been set for the user or group. It is useful in the case of handling directory trees recursively. More informationSee the man pages for the commands for more information.
|