Difference between revisions of "ACL"
From Blue-IT.org Wiki
(→Backup) |
|||
(90 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | =Use Case= | |
Peter, Paul and Mary are working with one directory tree. They share, use and edit the same files. They all belong to the system group ''users''. But the directory the should be able to write on belongs to the group ''exchange''. | Peter, Paul and Mary are working with one directory tree. They share, use and edit the same files. They all belong to the system group ''users''. But the directory the should be able to write on belongs to the group ''exchange''. | ||
Line 10: | Line 10: | ||
maries_file.doc | maries_file.doc | ||
− | + | =Links= | |
* [http://www.cs.indiana.edu/Facilities/software/ACL.html Indiana University Dep. of Comupter Science] | * [http://www.cs.indiana.edu/Facilities/software/ACL.html Indiana University Dep. of Comupter Science] | ||
* [http://www.vanemery.com/Linux/ACL/linux-acl.html Using ACLs with Fedora Core 2 (Linux Kernel 2.6.5)] | * [http://www.vanemery.com/Linux/ACL/linux-acl.html Using ACLs with Fedora Core 2 (Linux Kernel 2.6.5)] | ||
− | * [http://ubuntuforums.org/showthread.php?t=145741&page=2 Ubuntu Forum] | + | * |
+ | * Very good article that sum's up the most common problems [http://ubuntuforums.org/showthread.php?t=145741&page=2 Ubuntu Forum] | ||
* German - [http://suse-linux-faq.koehntopp.de/q/q-filesystems-umask.html Was ist die umask? Wie kann ich sie festlegen?] | * German - [http://suse-linux-faq.koehntopp.de/q/q-filesystems-umask.html Was ist die umask? Wie kann ich sie festlegen?] | ||
* German - [http://www.xwolf.de/artikel/acls.shtml Wie nutzt man ACLs (Access Control Lists) richtig?] | * German - [http://www.xwolf.de/artikel/acls.shtml Wie nutzt man ACLs (Access Control Lists) richtig?] | ||
− | ==Use it | + | =Distribution specific= |
+ | ==SuSE== | ||
+ | Works out of the box (10.3). | ||
+ | |||
+ | ==Redhat== | ||
+ | Works out of the box. | ||
+ | |||
+ | ==Ubuntu - not supported== | ||
+ | |||
+ | * '''NFS server with acl won't work until now with ubuntu''' | ||
+ | * '''the following is theory --[[User:Apos|Apos]] 01:09, 27 November 2007 (CET)''' | ||
+ | |||
+ | For all that have time to experiment, you can try the following: | ||
+ | |||
+ | ===Pure acl=== | ||
+ | All filesystems (ext2/3, xfs, reiserfs) are compiled using acl's by default. You only have to mount them with ''defaults,acl'' in your ''/etc/fstab''. | ||
+ | |||
+ | To use ''ACLs'' in ubuntu do | ||
+ | apt-get install acl | ||
+ | |||
+ | ===nfs (server) and acl=== | ||
+ | At first be advised that ubuntu until now (--[[User:Apos|Apos]] 19:04, 26 November 2007 (CET)) '''does not support nfs/acl''' by default. The kernel is not compiled with ''nfs/acl'' support. | ||
+ | |||
+ | To use ''nfs/acl'' you have to compile a custom kernel. | ||
+ | |||
+ | * Please see [http://www.howtoforge.com/kernel_compilation_ubuntu Howtoforge How To Compile A Kernel - The Ubuntu Way] or [[Linux_Kernel#Ubuntu]]. | ||
+ | |||
+ | ===Configure the ubuntu kernel=== | ||
+ | make menuconfig | ||
+ | |||
+ | Go the according subdirectories and enable the ACL support both in NFSv3 file system and server | ||
+ | File systems ---> | ||
+ | Network File Systems ---> | ||
+ | <M> NFS file system support | ||
+ | [*] Provide NFSv3 server support | ||
+ | >> [*] Provide client support for the NFSv3 ACL protocol extension | ||
+ | <M> NFS server support | ||
+ | [*] Provide NFSv3 server support | ||
+ | >> [*] Provide server support for the NFSv3 ACL protocol extension | ||
+ | |||
+ | Exit the application after saving ''.config''. | ||
+ | |||
+ | ===Build the custom kernel=== | ||
+ | |||
+ | Now we are ready to compile the kernel and kernel_headers: | ||
+ | make-kpkg clean | ||
+ | fakeroot make-kpkg --initrd --append-to-version=-nfs3-with-acl-support \ | ||
+ | kernel_image kernel_headers | ||
+ | |||
+ | Keep in mind that you now on your own, no support from canonical! | ||
+ | |||
+ | =Use it= | ||
===Enable ACL=== | ===Enable ACL=== | ||
On some distributions, filesystems are already compiled with acl support. This is the case e.g. for xfs or reiserfs. | On some distributions, filesystems are already compiled with acl support. This is the case e.g. for xfs or reiserfs. | ||
Line 26: | Line 78: | ||
===Create a new group ''exchange''=== | ===Create a new group ''exchange''=== | ||
Create the new group '''exchange'''. In some cases it could be wise to create a user with the same name too, with its own ''home'' directory and the default group ''exchange''. | Create the new group '''exchange'''. In some cases it could be wise to create a user with the same name too, with its own ''home'' directory and the default group ''exchange''. | ||
− | Don't forget to set the '''default group''' for the user. | + | |
+ | Don't forget to set the '''default group''' for the user''exchange'', when you create it. | ||
chgrp exchange /home/exchange/ | chgrp exchange /home/exchange/ | ||
chmod g+s /home/exchange | chmod g+s /home/exchange | ||
Line 34: | Line 87: | ||
setfacl -d -m mask:007 /home/exchange/ | setfacl -d -m mask:007 /home/exchange/ | ||
− | ''Optional:'' You | + | ''Optional:'' You should also additionally do |
setfacl -dm g:exchange:rwx /home/exchange | setfacl -dm g:exchange:rwx /home/exchange | ||
+ | setfacl -dm --set u::rwx,g::rwx,o::--- /home/exchange | ||
Now every file from any user accessing this directory will be readably/writable for the group ''exchange''. | Now every file from any user accessing this directory will be readably/writable for the group ''exchange''. | ||
− | == | + | === Useful script === |
− | === | + | Cycle through directories and change all subdirectories / files. |
− | + | The script will use read and write permissions for both ''user'' and ''group'' and refuses this for ''other''. It should be self explanatory, just makes the mandatory things and leaves you with using some alternative syntax / features (e.g. sticky bit). | |
− | chmod | + | |
− | + | It might be, that I did something duplicate - but it works. Be careful - the script does not check | |
+ | * if the group you specified exists | ||
+ | * the directory you specified exists | ||
+ | * removes all ACL by default | ||
+ | |||
+ | # /bin/bash | ||
+ | # /root/bin/change_rights.sh | ||
+ | |||
+ | myExchangeDir="/home/exchange" | ||
+ | myChmodFile="660" | ||
+ | myChmodDir="770" | ||
+ | myACLMask="006" | ||
+ | # myDirMods="ug+x" | ||
+ | myDirSticky="g+s" | ||
+ | myUser="exchange" | ||
+ | myGroup="exchange" | ||
+ | myChown="${myUser}:${myGroup}" | ||
+ | removePreviousACL=1 | ||
+ | |||
+ | ### Recursive preparation of everything | ||
+ | |||
+ | ## Unix | ||
+ | chmod -R ${myChmodFile} "${myExchangeDir}" | ||
+ | chown -R "${myChown}" "${myExchangeDir}" | ||
+ | |||
+ | # Set group ID on execution | ||
+ | chmod g+s "${myExchangeDir}" | ||
+ | |||
+ | # Sticky bit - avoid deletion by other users | ||
+ | # chmod g+t "${myExchangeDir}" | ||
+ | |||
+ | ## ACL | ||
+ | |||
+ | # Remove all ACL's in advance !!! | ||
+ | [ ${removePreviousACL} -eq 1 ] && setfacl -R -b "${myExchangeDir}" | ||
+ | |||
+ | setfacl -d -m mask:"${myACLMask}" "${myExchangeDir}" | ||
+ | #setfacl -d --set u::rwx,g::rwx,o::--- "${myExchangeDir}" | ||
+ | #setfacl -dm u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- "${myExchangeDir}" | ||
+ | |||
+ | |||
+ | ### Correct directory permissions | ||
+ | chmod "${myChmodDir}" "${myExchangeDir}" | ||
+ | find "${myExchangeDir}" -type d -exec chmod "${myChmodDir}" {} \; | ||
+ | # find "${myExchangeDir}" -type d -exec chmod "${myDirMods}" {} \; | ||
+ | find "${myExchangeDir}" -type d -exec chmod "${myDirSticky}" {} \; | ||
+ | # find "${myExchangeDir}" -type d -exec chmod g+t {} \; | ||
+ | find "${myExchangeDir}" -type d -exec setfacl -d -m mask:"${myACLMask}" {} \; | ||
+ | |||
+ | # find "${myExchangeDir}" -type d -exec setfacl -d --set \ | ||
+ | # u::rwx,g::rwx,o::--- {} \; | ||
+ | # find "${myExchangeDir}" -type d -exec setfacl -dm \ | ||
+ | # u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- {} \; | ||
+ | |||
+ | Hint for shell scripts: | ||
+ | * Always use ''/bin/bash'' | ||
+ | * Always include variables in "" for both declaration and usage. | ||
+ | This assures you won't habe ANY trouble dealing with whitespace in pathnames or files ;) | ||
+ | |||
+ | ===Cron job=== | ||
+ | nohup /root/bin/change_rights.sh 1>/dev/null 2>&1 & | ||
+ | |||
+ | ===Remove ACLs=== | ||
+ | sudo setfacl -b /directory/to/remove/permissions/from | ||
+ | |||
+ | =Samba= | ||
+ | ===ACL, cifs and smbfs=== | ||
+ | By now ubuntu does not support posix ACLs with ''cifs'' or ''smbfs''. | ||
+ | |||
+ | But there is a workaround if you are using the following ''smb.conf'' entries - disabling acl explicitly - and mounting your share via the given mount command. | ||
+ | |||
+ | '''Important:''' | ||
+ | You have to mount with '''-t cifs''', using '''-t smbfs''' is depricated and will cause trouble on the actual ubuntu version (gutsy) for the igven example. The issue is, that file and directorie masks are not mapped accordingly! | ||
===smb.conf=== | ===smb.conf=== | ||
+ | This sample shows a working version for the share ''exchange'' to be used in conjunction with the ''acl'ed'' directory of the previous section. | ||
[exchange] | [exchange] | ||
path = /home/exchange | path = /home/exchange | ||
− | |||
writable = yes | writable = yes | ||
− | create mask = | + | available = yes |
− | directory mask = | + | browsable = yes |
+ | public = yes | ||
+ | |||
+ | # Next ignores all "create" options | ||
+ | # for files and direcctories | ||
+ | #inherit permissions = yes | ||
+ | |||
+ | ## Files | ||
+ | create mask = 0660 | ||
+ | force create mode = 2660 | ||
+ | ## Directories | ||
+ | # setgid | ||
+ | directory mask = 0770 | ||
+ | force directory mode = 2770 | ||
+ | |||
+ | ## ACL | ||
+ | # does not work on ubuntu gutsy | ||
+ | #profile acls = no | ||
+ | #inherit acls = no | ||
− | ==NFS== | + | ===CIFS mount command=== |
+ | Use this command e.g. in ''/etc/rc.local''. | ||
+ | vim /etc/rc.local | ||
+ | |||
+ | MOUNTPOINT="/home/exchange" | ||
+ | SHARE="//server_ip/NameOfSambaShare" # e.g. "exchange" | ||
+ | USER="myUser" | ||
+ | PASSWORD="myPassword" | ||
+ | GROUP="exchange" | ||
+ | |||
+ | mount '''-t cifs''' -o username="$USER",password="$PASSWORD",\ | ||
+ | uid="$USER",gid="$GROUP",\ | ||
+ | iocharset=utf8,codepage=cp850,\ | ||
+ | file_mode=0660,dir_mode=0770,umask=007 \ | ||
+ | "$SHARE" "$MOUNTPOINT" | ||
+ | |||
+ | '''Using a password file''' | ||
+ | |||
+ | You can also use samba ''credentials'' instead of ''-o username='': | ||
+ | vim /etc/samba/.samba_credentials | ||
+ | |||
+ | username=myUsername | ||
+ | password=myPassword | ||
+ | |||
+ | chmod 600 /etc/samba/.samba_credentials | ||
+ | rm /etc/samba/.samba_credentials~ | ||
+ | |||
+ | Instead of mounting with | ||
+ | -o username=.... | ||
+ | use | ||
+ | -o "credentials=/etc/samba/.samba_credentials" | ||
+ | |||
+ | =NFS= | ||
+ | ===Notes for ubuntu=== | ||
+ | At the time of writing this NFSv3 and ACL in anetwork environment ''' are not supported under ubuntu'''. | ||
+ | |||
+ | ===fstab=== | ||
Change your ''fstab'' mount options. Important is to add '''acl''' in the options part. | Change your ''fstab'' mount options. Important is to add '''acl''' in the options part. | ||
nfs_server:/home/exchange /home/your_account/exchange nfs \ | nfs_server:/home/exchange /home/your_account/exchange nfs \ | ||
rw,acl[,...] 0 0 | rw,acl[,...] 0 0 | ||
− | + | ===restart the server=== | |
+ | /etc/init.d/nfs-kernel-server restart && /etc/init.d/nfs-common restart | ||
+ | |||
+ | ===mount like this=== | ||
mount -t nfs -o rw,acl[,...] \ | mount -t nfs -o rw,acl[,...] \ | ||
nfs_server:/home/exchange /home/your_account/exchange | nfs_server:/home/exchange /home/your_account/exchange | ||
Line 64: | Line 247: | ||
''[,...]'' stands for e.g. one of these mount options | ''[,...]'' stands for e.g. one of these mount options | ||
,rsize=8192,wsize=8192,user,timeo=10,intr | ,rsize=8192,wsize=8192,user,timeo=10,intr | ||
+ | ,rw,tcp,rsize=32768,wsize=32768,defaults # for e.g. video data | ||
+ | |||
+ | =Backup= | ||
+ | Tools like '''rsync, dump''' or '''tar don't support acl''' backup at time of this writing. This will change in future. | ||
− | |||
If you like to backup directories or files with ''acl's'', you have to use the '''star''' (a ''tar'' clone) backup utility. | If you like to backup directories or files with ''acl's'', you have to use the '''star''' (a ''tar'' clone) backup utility. | ||
* [http://cdrecord.berlios.de/new/private/star-acl.html Star ACL] | * [http://cdrecord.berlios.de/new/private/star-acl.html Star ACL] | ||
− | + | ===Backup=== | |
cd /home | cd /home | ||
star -Hexustar -acl -c f=exchange.star exchange | star -Hexustar -acl -c f=exchange.star exchange | ||
− | + | ||
+ | ===Restore=== | ||
+ | star -acl -x f=exchange.star | ||
+ | =Desktop= | ||
+ | ===OpenOffice.org=== | ||
+ | Don't use OpenOffice own ''file - open/save dialogs''. This is changed in ''Extras->Options->Defaults''. | ||
+ | |||
+ | ===Gnome Nautilus=== | ||
+ | ''ACLs'' are not shown in nautilus when using an nfs share. | ||
+ | |||
+ | [[Category:Filesystem]] |
Latest revision as of 19:32, 8 January 2012
Use Case
Peter, Paul and Mary are working with one directory tree. They share, use and edit the same files. They all belong to the system group users. But the directory the should be able to write on belongs to the group exchange.
/home | /exchange | /peters_subdir | /peters_file.txt /pauls_subdir | /pauls_file.odf maries_file.doc
Links
- Indiana University Dep. of Comupter Science
- Using ACLs with Fedora Core 2 (Linux Kernel 2.6.5)
- Very good article that sum's up the most common problems Ubuntu Forum
- German - Was ist die umask? Wie kann ich sie festlegen?
- German - Wie nutzt man ACLs (Access Control Lists) richtig?
Distribution specific
SuSE
Works out of the box (10.3).
Redhat
Works out of the box.
Ubuntu - not supported
- NFS server with acl won't work until now with ubuntu
- the following is theory --Apos 01:09, 27 November 2007 (CET)
For all that have time to experiment, you can try the following:
Pure acl
All filesystems (ext2/3, xfs, reiserfs) are compiled using acl's by default. You only have to mount them with defaults,acl in your /etc/fstab.
To use ACLs in ubuntu do
apt-get install acl
nfs (server) and acl
At first be advised that ubuntu until now (--Apos 19:04, 26 November 2007 (CET)) does not support nfs/acl by default. The kernel is not compiled with nfs/acl support.
To use nfs/acl you have to compile a custom kernel.
Configure the ubuntu kernel
make menuconfig
Go the according subdirectories and enable the ACL support both in NFSv3 file system and server
File systems ---> Network File Systems ---> <M> NFS file system support [*] Provide NFSv3 server support >> [*] Provide client support for the NFSv3 ACL protocol extension <M> NFS server support [*] Provide NFSv3 server support >> [*] Provide server support for the NFSv3 ACL protocol extension
Exit the application after saving .config.
Build the custom kernel
Now we are ready to compile the kernel and kernel_headers:
make-kpkg clean fakeroot make-kpkg --initrd --append-to-version=-nfs3-with-acl-support \ kernel_image kernel_headers
Keep in mind that you now on your own, no support from canonical!
Use it
Enable ACL
On some distributions, filesystems are already compiled with acl support. This is the case e.g. for xfs or reiserfs. Otherwise - and this is always wise - enable the ACL's in fstab explicitly:
/etc/fstab /home /dev/hdx ext3 defaults,acl 1 2
Create a new group exchange
Create the new group exchange. In some cases it could be wise to create a user with the same name too, with its own home directory and the default group exchange.
Don't forget to set the default group for the userexchange, when you create it.
chgrp exchange /home/exchange/ chmod g+s /home/exchange
Add ACL support
Changing the default umask for the certain directory and all subdirectories
setfacl -d -m mask:007 /home/exchange/
Optional: You should also additionally do
setfacl -dm g:exchange:rwx /home/exchange setfacl -dm --set u::rwx,g::rwx,o::--- /home/exchange
Now every file from any user accessing this directory will be readably/writable for the group exchange.
Useful script
Cycle through directories and change all subdirectories / files. The script will use read and write permissions for both user and group and refuses this for other. It should be self explanatory, just makes the mandatory things and leaves you with using some alternative syntax / features (e.g. sticky bit).
It might be, that I did something duplicate - but it works. Be careful - the script does not check
- if the group you specified exists
- the directory you specified exists
- removes all ACL by default
# /bin/bash # /root/bin/change_rights.sh myExchangeDir="/home/exchange" myChmodFile="660" myChmodDir="770" myACLMask="006" # myDirMods="ug+x" myDirSticky="g+s" myUser="exchange" myGroup="exchange" myChown="${myUser}:${myGroup}" removePreviousACL=1 ### Recursive preparation of everything ## Unix chmod -R ${myChmodFile} "${myExchangeDir}" chown -R "${myChown}" "${myExchangeDir}" # Set group ID on execution chmod g+s "${myExchangeDir}" # Sticky bit - avoid deletion by other users # chmod g+t "${myExchangeDir}" ## ACL # Remove all ACL's in advance !!! [ ${removePreviousACL} -eq 1 ] && setfacl -R -b "${myExchangeDir}" setfacl -d -m mask:"${myACLMask}" "${myExchangeDir}" #setfacl -d --set u::rwx,g::rwx,o::--- "${myExchangeDir}" #setfacl -dm u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- "${myExchangeDir}" ### Correct directory permissions chmod "${myChmodDir}" "${myExchangeDir}" find "${myExchangeDir}" -type d -exec chmod "${myChmodDir}" {} \; # find "${myExchangeDir}" -type d -exec chmod "${myDirMods}" {} \; find "${myExchangeDir}" -type d -exec chmod "${myDirSticky}" {} \; # find "${myExchangeDir}" -type d -exec chmod g+t {} \; find "${myExchangeDir}" -type d -exec setfacl -d -m mask:"${myACLMask}" {} \; # find "${myExchangeDir}" -type d -exec setfacl -d --set \ # u::rwx,g::rwx,o::--- {} \; # find "${myExchangeDir}" -type d -exec setfacl -dm \ # u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- {} \;
Hint for shell scripts:
- Always use /bin/bash
- Always include variables in "" for both declaration and usage.
This assures you won't habe ANY trouble dealing with whitespace in pathnames or files ;)
Cron job
nohup /root/bin/change_rights.sh 1>/dev/null 2>&1 &
Remove ACLs
sudo setfacl -b /directory/to/remove/permissions/from
Samba
ACL, cifs and smbfs
By now ubuntu does not support posix ACLs with cifs or smbfs.
But there is a workaround if you are using the following smb.conf entries - disabling acl explicitly - and mounting your share via the given mount command.
Important: You have to mount with -t cifs, using -t smbfs is depricated and will cause trouble on the actual ubuntu version (gutsy) for the igven example. The issue is, that file and directorie masks are not mapped accordingly!
smb.conf
This sample shows a working version for the share exchange to be used in conjunction with the acl'ed directory of the previous section.
[exchange] path = /home/exchange writable = yes available = yes browsable = yes public = yes # Next ignores all "create" options # for files and direcctories #inherit permissions = yes ## Files create mask = 0660 force create mode = 2660 ## Directories # setgid directory mask = 0770 force directory mode = 2770 ## ACL # does not work on ubuntu gutsy #profile acls = no #inherit acls = no
CIFS mount command
Use this command e.g. in /etc/rc.local.
vim /etc/rc.local
MOUNTPOINT="/home/exchange" SHARE="//server_ip/NameOfSambaShare" # e.g. "exchange" USER="myUser" PASSWORD="myPassword" GROUP="exchange" mount -t cifs -o username="$USER",password="$PASSWORD",\ uid="$USER",gid="$GROUP",\ iocharset=utf8,codepage=cp850,\ file_mode=0660,dir_mode=0770,umask=007 \ "$SHARE" "$MOUNTPOINT"
Using a password file
You can also use samba credentials instead of -o username=:
vim /etc/samba/.samba_credentials
username=myUsername password=myPassword
chmod 600 /etc/samba/.samba_credentials rm /etc/samba/.samba_credentials~
Instead of mounting with
-o username=....
use
-o "credentials=/etc/samba/.samba_credentials"
NFS
Notes for ubuntu
At the time of writing this NFSv3 and ACL in anetwork environment are not supported under ubuntu.
fstab
Change your fstab mount options. Important is to add acl in the options part.
nfs_server:/home/exchange /home/your_account/exchange nfs \ rw,acl[,...] 0 0
restart the server
/etc/init.d/nfs-kernel-server restart && /etc/init.d/nfs-common restart
mount like this
mount -t nfs -o rw,acl[,...] \ nfs_server:/home/exchange /home/your_account/exchange
[,...] stands for e.g. one of these mount options
,rsize=8192,wsize=8192,user,timeo=10,intr ,rw,tcp,rsize=32768,wsize=32768,defaults # for e.g. video data
Backup
Tools like rsync, dump or tar don't support acl backup at time of this writing. This will change in future.
If you like to backup directories or files with acl's, you have to use the star (a tar clone) backup utility.
Backup
cd /home star -Hexustar -acl -c f=exchange.star exchange
Restore
star -acl -x f=exchange.star
Desktop
OpenOffice.org
Don't use OpenOffice own file - open/save dialogs. This is changed in Extras->Options->Defaults.
Gnome Nautilus
ACLs are not shown in nautilus when using an nfs share.