ACL

From Segfault
Jump to navigation Jump to search

From the bestbits.at (Archive) site: 

On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode 
contains nine bits that determine access permissions of a file, plus three special bits.
This mechanism allows to define access permissions for three classes of users: the file owner,
the file group, and others. This mechanism is very simple. With a couple of bits, many 
permission scenarios can be modeled. 

Some applications require more control over permissions than this model offers. Access 
control lists implement a more fine-grained permission model: In addition to the file owner,
the file group, and others, additional users and groups can be granted or denied access.

Usage

Note: the following should work on current Linux and BSD systems.

Make sure the filesystem has ACL support: 

$ mount | grep acl
/dev/ada0p2 on / (ufs, local, journaled soft-updates, acls)

Let's create a file and display its permissions: 

$ touch file.txt
$ ls -l file.txt
-rw-------  1 root  wheel  0 Sep 18 18:35 file.txt

Grant read permission to user dummy: 

$ setfacl -m u:dummy:r file.txt 
$ ls -l file.txt 
-rw-r-----+ 1 root  wheel  0 Sep 18 18:35 file.txt

$ getfacl file.txt 
# file: file.txt
# owner: root
# group: wheel
user::rw-
user:dummy:r--
group::---
mask::r--
other::---

MacOS

On MacOS, ACLs can be set with chmod[1][2]: 

$ echo "hello, world" > foo
$ chmod 0600 foo
$ chmod +a "dummy allow read" foo
$ ls -le foo
-rw-------+ 1 alice  wheel  0 Apr 17 11:28 foo
0: user:dummy allow read

With that, only alice and dummy should be able to read the file: 

$ whoami; cat foo
alice
hello, world

$ sudo -u dummy cat foo
hello, world

$ sudo -u bob cat foo
cat: foo: Permission denied

Allow dummy to create objects in the current directory: 

$ ls -led .
drwxr-xr-x  4 alice  wheel  136 Apr 17 11:36 .

$ sudo -u dummy touch bar
touch: bar: Permission denied

$ chmod +a "dummy allow read,write,execute" .
$ sudo -u dummy touch bar

$ ls -led . bar
drwxr-xr-x+ 4 alice  wheel  136 Apr 17 11:38 .
 0: user:dummy allow list,add_file,search
-rw-r--r--  1 dummy      wheel    0 Apr 17 11:38 bar

Links

References

  1. chmod(1)
  2. Introduction to OS X Access Control Lists (ACLs)
Retrieved from "https://trent.utfs.org/mediawiki/index.php?title=ACL&oldid=8294"