ACL

From Segfault
Jump to: navigation, search

From the bestbits.at (Archive) site:

On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode 
contains nine bits that determine access permissions of a file, plus three special bits.
This mechanism allows to define access permissions for three classes of users: the file owner,
the file group, and others. This mechanism is very simple. With a couple of bits, many 
permission scenarios can be modeled. 

Some applications require more control over permissions than this model offers. Access 
control lists implement a more fine-grained permission model: In addition to the file owner,
the file group, and others, additional users and groups can be granted or denied access. 

Usage

Note: the following should work on current Linux and BSD systems.

Make sure the filesystem has ACL support:

$ mount | grep acl
/dev/ada0p2 on / (ufs, local, journaled soft-updates, acls)

Let's create a file and display its permissions:

$ touch file.txt
$ ls -l file.txt
-rw-------  1 root  wheel  0 Sep 18 18:35 file.txt

Grant read permission to user dummy:

MacOS

On MacOS, ACLs can be set with chmod[1][2]:

$ echo "hello, world" > foo
$ chmod 0600 foo
$ chmod +a "dummy allow read" foo
$ ls -le foo
-rw-------+ 1 alice  wheel  0 Apr 17 11:28 foo
0: user:dummy allow read

With that, only alice and dummy should be able to read the file:

$ whoami; cat foo
alice
hello, world

$ sudo -u dummy cat foo
hello, world

$ sudo -u bob cat foo
cat: foo: Permission denied

Allow dummy to create objects in the current directory:

$ ls -led .
drwxr-xr-x  4 alice  wheel  136 Apr 17 11:36 .

$ sudo -u dummy touch bar
touch: bar: Permission denied

$ chmod +a "dummy allow read,write,execute" .
$ sudo -u dummy touch bar

$ ls -led . bar
drwxr-xr-x+ 4 alice  wheel  136 Apr 17 11:38 .
 0: user:dummy allow list,add_file,search
-rw-r--r--  1 dummy      wheel    0 Apr 17 11:38 bar

Links

References