Difference between revisions of "ACL"

From Blue-IT.org Wiki

(Useful script)
 
(35 intermediate revisions by 2 users not shown)
Line 94: Line 94:
  
 
=== Useful script ===
 
=== Useful script ===
Cycle through directories and change all subdirectories/files.
+
Cycle through directories and change all subdirectories / files.
The script will use read and write permissions for both ''user'' and ''group'' and refuses this for ''other''.
+
The script will use read and write permissions for both ''user'' and ''group'' and refuses this for ''other''. It should be self explanatory, just makes the mandatory things and leaves you with using some  alternative syntax / features (e.g. sticky bit).
 +
 
 +
It might be, that I did something duplicate - but it works. Be careful - the script does not check
 +
* if the group you specified exists
 +
* the directory you specified exists
 +
* removes all ACL by default
  
 
  # /bin/bash
 
  # /bin/bash
Line 101: Line 106:
 
   
 
   
 
  myExchangeDir="/home/exchange"
 
  myExchangeDir="/home/exchange"
 +
myChmodFile="660"
 +
myChmodDir="770"
 +
myACLMask="006"
 +
# myDirMods="ug+x"
 +
myDirSticky="g+s"
 +
myUser="exchange"
 +
myGroup="exchange"
 +
myChown="${myUser}:${myGroup}"
 +
removePreviousACL=1
 
   
 
   
 
  ### Recursive preparation of everything
 
  ### Recursive preparation of everything
 
   
 
   
  # Unix
+
  ## Unix
  chmod -R 660 "${myExchangeDir}"
+
  chmod -R ${myChmodFile} "${myExchangeDir}"
  chown -R exchange:exchange "${myExchangeDir}"
+
  chown -R "${myChown}" "${myExchangeDir}"
 
   
 
   
 
  # Set group ID on execution
 
  # Set group ID on execution
Line 114: Line 128:
 
  # chmod g+t "${myExchangeDir}"
 
  # chmod g+t "${myExchangeDir}"
 
    
 
    
  # ACL  
+
  ## ACL  
 +
 +
# Remove all ACL's in advance !!!
 +
[ ${removePreviousACL} -eq 1 ] && setfacl -R -b "${myExchangeDir}"
 +
 +
setfacl -d -m mask:"${myACLMask}" "${myExchangeDir}"
 
  #setfacl -d --set u::rwx,g::rwx,o::--- "${myExchangeDir}"
 
  #setfacl -d --set u::rwx,g::rwx,o::--- "${myExchangeDir}"
  #setfacl -d u:exchange:rwx,g:exchange:rwx "${myExchangeDir}"
+
  #setfacl -dm u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- "${myExchangeDir}"
setfacl -d -m mask:007 "${myExchangeDir}"
 
 
   
 
   
 
   
 
   
 
  ### Correct directory permissions
 
  ### Correct directory permissions
  chmod 770 "${myExchangeDir}"
+
  chmod "${myChmodDir}" "${myExchangeDir}"
  find "${myExchangeDir}" -type d -exec chmod ug+x {} \;
+
  find "${myExchangeDir}" -type d -exec chmod "${myChmodDir}" {} \;
  find "${myExchangeDir}" -type d -exec chmod g+s {} \;
+
  # find "${myExchangeDir}" -type d -exec chmod "${myDirMods}" {} \;
 +
find "${myExchangeDir}" -type d -exec chmod "${myDirSticky}" {} \;
 
  # find "${myExchangeDir}" -type d -exec chmod g+t {} \;
 
  # find "${myExchangeDir}" -type d -exec chmod g+t {} \;
  find "${myExchangeDir}" -type d -exec setfacl -d --set u::rwx,g::rwx,o::--- {} \;
+
  find "${myExchangeDir}" -type d -exec setfacl -d -m mask:"${myACLMask}" {} \;
  #find "${myExchangeDir}" -type d -exec setfacl -d u:exchange:rwx,g:exchange:rwx {} \;
+
#find "${myExchangeDir}" -type d -exec setfacl -d -m mask:007 {} \;
+
# find "${myExchangeDir}" -type d -exec setfacl -d --set \
 
+
#      u::rwx,g::rwx,o::--- {} \;
Cron job
+
  # find "${myExchangeDir}" -type d -exec setfacl -dm \
nohup /root/bin/change_rights.sh 1>/dev/null 2>&1 &
+
#      u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- {} \;
 
 
  
 
Hint for shell scripts:  
 
Hint for shell scripts:  
Line 137: Line 155:
 
* Always include variables in "" for both declaration and usage.  
 
* Always include variables in "" for both declaration and usage.  
 
This assures you won't habe ANY trouble dealing with whitespace in pathnames or files ;)
 
This assures you won't habe ANY trouble dealing with whitespace in pathnames or files ;)
 +
 +
===Cron job===
 +
nohup /root/bin/change_rights.sh 1>/dev/null 2>&1 &
  
 
===Remove ACLs===
 
===Remove ACLs===
Line 142: Line 163:
  
 
=Samba=
 
=Samba=
===Notes for ubuntu===
+
===ACL, cifs and smbfs===
Not working with ACL.
+
By now ubuntu does not support posix ACLs with ''cifs'' or ''smbfs''.
 +
 
 +
But there is a workaround if you are using the following ''smb.conf'' entries - disabling acl explicitly - and mounting your share via the given mount command.
 +
 
 +
'''Important:'''
 +
You have to mount with '''-t cifs''', using '''-t smbfs''' is depricated and will cause trouble on the actual ubuntu version (gutsy) for the igven example. The issue is, that file and directorie masks are not mapped accordingly!
  
 
===smb.conf===
 
===smb.conf===
 +
This sample shows a working version for the share ''exchange'' to be used in conjunction with the ''acl'ed'' directory of the previous section.
 
  [exchange]
 
  [exchange]
 
  path = /home/exchange
 
  path = /home/exchange
browseable = yes
 
 
  writable = yes
 
  writable = yes
 
  available = yes
 
  available = yes
  public = yes
+
browsable = yes
 +
  public = yes  
 +
 +
# Next ignores all "create" options
 +
# for files and direcctories
 +
#inherit permissions = yes
 +
 +
## Files
 
  create mask = 0660
 
  create mask = 0660
 +
force create mode = 2660
 +
## Directories
 +
# setgid
 
  directory mask = 0770
 
  directory mask = 0770
  profile acls = yes
+
  force directory mode = 2770
  inherit acls = yes
+
 +
## ACL
 +
# does not work on ubuntu gutsy
 +
#profile acls = no
 +
  #inherit acls = no
 +
 
 +
===CIFS mount command===
 +
Use this command e.g. in ''/etc/rc.local''.
 +
vim /etc/rc.local
 +
 
 +
MOUNTPOINT="/home/exchange"
 +
SHARE="//server_ip/NameOfSambaShare" # e.g. "exchange"
 +
USER="myUser"
 +
PASSWORD="myPassword"
 +
GROUP="exchange"
 +
 
 +
mount '''-t cifs''' -o username="$USER",password="$PASSWORD",\
 +
uid="$USER",gid="$GROUP",\
 +
iocharset=utf8,codepage=cp850,\
 +
file_mode=0660,dir_mode=0770,umask=007 \
 +
"$SHARE" "$MOUNTPOINT"
 +
 
 +
'''Using a password file'''
 +
 
 +
You can also use samba ''credentials'' instead of ''-o username='':
 +
vim /etc/samba/.samba_credentials
 +
 
 +
username=myUsername
 +
password=myPassword
 +
 
 +
chmod 600 /etc/samba/.samba_credentials
 +
rm /etc/samba/.samba_credentials~
 +
 
 +
Instead of mounting with
 +
-o username=....
 +
use
 +
-o "credentials=/etc/samba/.samba_credentials"
  
 
=NFS=
 
=NFS=
Line 195: Line 267:
 
===Gnome Nautilus===
 
===Gnome Nautilus===
 
''ACLs'' are not shown in nautilus when using an nfs share.
 
''ACLs'' are not shown in nautilus when using an nfs share.
 +
 +
[[Category:Filesystem]]

Latest revision as of 19:32, 8 January 2012

Use Case

Peter, Paul and Mary are working with one directory tree. They share, use and edit the same files. They all belong to the system group users. But the directory the should be able to write on belongs to the group exchange.

/home   |
        /exchange  |
                   /peters_subdir |
                                  /peters_file.txt
                   /pauls_subdir  |
                                  /pauls_file.odf
                   maries_file.doc

Links

Distribution specific

SuSE

Works out of the box (10.3).

Redhat

Works out of the box.

Ubuntu - not supported

  • NFS server with acl won't work until now with ubuntu
  • the following is theory --Apos 01:09, 27 November 2007 (CET)

For all that have time to experiment, you can try the following:

Pure acl

All filesystems (ext2/3, xfs, reiserfs) are compiled using acl's by default. You only have to mount them with defaults,acl in your /etc/fstab.

To use ACLs in ubuntu do

apt-get install acl

nfs (server) and acl

At first be advised that ubuntu until now (--Apos 19:04, 26 November 2007 (CET)) does not support nfs/acl by default. The kernel is not compiled with nfs/acl support.

To use nfs/acl you have to compile a custom kernel.

Configure the ubuntu kernel

make menuconfig

Go the according subdirectories and enable the ACL support both in NFSv3 file system and server

 File systems  --->  
   Network File Systems  ---> 
        <M> NFS file system support
        [*]   Provide NFSv3 server support
     >> [*]     Provide client support for the NFSv3 ACL protocol extension
        <M> NFS server support
        [*]   Provide NFSv3 server support
     >> [*]     Provide server support for the NFSv3 ACL protocol extension

Exit the application after saving .config.

Build the custom kernel

Now we are ready to compile the kernel and kernel_headers:

make-kpkg clean
fakeroot make-kpkg --initrd --append-to-version=-nfs3-with-acl-support \
                kernel_image kernel_headers

Keep in mind that you now on your own, no support from canonical!

Use it

Enable ACL

On some distributions, filesystems are already compiled with acl support. This is the case e.g. for xfs or reiserfs. Otherwise - and this is always wise - enable the ACL's in fstab explicitly:

/etc/fstab
/home   /dev/hdx   ext3   defaults,acl   1 2

Create a new group exchange

Create the new group exchange. In some cases it could be wise to create a user with the same name too, with its own home directory and the default group exchange.

Don't forget to set the default group for the userexchange, when you create it.

chgrp exchange /home/exchange/
chmod g+s /home/exchange

Add ACL support

Changing the default umask for the certain directory and all subdirectories

setfacl -d -m mask:007 /home/exchange/

Optional: You should also additionally do

setfacl -dm g:exchange:rwx /home/exchange
setfacl -dm --set u::rwx,g::rwx,o::--- /home/exchange

Now every file from any user accessing this directory will be readably/writable for the group exchange.

Useful script

Cycle through directories and change all subdirectories / files. The script will use read and write permissions for both user and group and refuses this for other. It should be self explanatory, just makes the mandatory things and leaves you with using some alternative syntax / features (e.g. sticky bit).

It might be, that I did something duplicate - but it works. Be careful - the script does not check

  • if the group you specified exists
  • the directory you specified exists
  • removes all ACL by default
# /bin/bash
# /root/bin/change_rights.sh

myExchangeDir="/home/exchange"
myChmodFile="660"
myChmodDir="770"
myACLMask="006"
# myDirMods="ug+x"
myDirSticky="g+s"
myUser="exchange"
myGroup="exchange"
myChown="${myUser}:${myGroup}"
removePreviousACL=1

### Recursive preparation of everything

## Unix
chmod -R ${myChmodFile} "${myExchangeDir}"
chown -R "${myChown}" "${myExchangeDir}"

# Set group ID on execution
chmod g+s "${myExchangeDir}"

# Sticky bit - avoid deletion by other users
# chmod g+t "${myExchangeDir}"
 
## ACL 

# Remove all ACL's in advance !!!
[ ${removePreviousACL} -eq 1 ] && setfacl -R -b "${myExchangeDir}"

setfacl -d -m mask:"${myACLMask}" "${myExchangeDir}"
#setfacl -d --set u::rwx,g::rwx,o::--- "${myExchangeDir}"
#setfacl -dm u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- "${myExchangeDir}"


### Correct directory permissions
chmod "${myChmodDir}" "${myExchangeDir}"
find "${myExchangeDir}" -type d -exec chmod "${myChmodDir}" {} \;
# find "${myExchangeDir}" -type d -exec chmod "${myDirMods}" {} \;
find "${myExchangeDir}" -type d -exec chmod "${myDirSticky}" {} \;
# find "${myExchangeDir}" -type d -exec chmod g+t {} \;
find "${myExchangeDir}" -type d -exec setfacl -d -m mask:"${myACLMask}" {} \;

# find "${myExchangeDir}" -type d -exec setfacl -d --set \
#      u::rwx,g::rwx,o::--- {} \;
# find "${myExchangeDir}" -type d -exec setfacl -dm \
#      u:"${myUser}":rwx,g:"${myGroup}":rwx,o::--- {} \;

Hint for shell scripts:

  • Always use /bin/bash
  • Always include variables in "" for both declaration and usage.

This assures you won't habe ANY trouble dealing with whitespace in pathnames or files ;)

Cron job

nohup /root/bin/change_rights.sh 1>/dev/null 2>&1 &

Remove ACLs

sudo setfacl -b /directory/to/remove/permissions/from

Samba

ACL, cifs and smbfs

By now ubuntu does not support posix ACLs with cifs or smbfs.

But there is a workaround if you are using the following smb.conf entries - disabling acl explicitly - and mounting your share via the given mount command.

Important: You have to mount with -t cifs, using -t smbfs is depricated and will cause trouble on the actual ubuntu version (gutsy) for the igven example. The issue is, that file and directorie masks are not mapped accordingly!

smb.conf

This sample shows a working version for the share exchange to be used in conjunction with the acl'ed directory of the previous section.

[exchange]
path = /home/exchange
writable = yes
available = yes
browsable = yes
public = yes 

# Next ignores all "create" options
# for files and direcctories
#inherit permissions = yes

## Files
create mask = 0660
force create mode = 2660
## Directories
# setgid
directory mask = 0770
force directory mode = 2770

## ACL
# does not work on ubuntu gutsy
#profile acls = no
#inherit acls = no

CIFS mount command

Use this command e.g. in /etc/rc.local.

vim /etc/rc.local
MOUNTPOINT="/home/exchange"
SHARE="//server_ip/NameOfSambaShare" # e.g. "exchange"
USER="myUser"
PASSWORD="myPassword"
GROUP="exchange"
 
mount -t cifs -o username="$USER",password="$PASSWORD",\
uid="$USER",gid="$GROUP",\
iocharset=utf8,codepage=cp850,\
file_mode=0660,dir_mode=0770,umask=007 \
"$SHARE" "$MOUNTPOINT"

Using a password file

You can also use samba credentials instead of -o username=:

vim /etc/samba/.samba_credentials
username=myUsername
password=myPassword
chmod 600 /etc/samba/.samba_credentials
rm /etc/samba/.samba_credentials~

Instead of mounting with

-o username=....

use

-o "credentials=/etc/samba/.samba_credentials"

NFS

Notes for ubuntu

At the time of writing this NFSv3 and ACL in anetwork environment are not supported under ubuntu.

fstab

Change your fstab mount options. Important is to add acl in the options part.

nfs_server:/home/exchange /home/your_account/exchange  nfs \
        rw,acl[,...]  0 0

restart the server

/etc/init.d/nfs-kernel-server restart &&  /etc/init.d/nfs-common restart

mount like this

mount -t nfs -o rw,acl[,...] \
    nfs_server:/home/exchange /home/your_account/exchange

[,...] stands for e.g. one of these mount options

 ,rsize=8192,wsize=8192,user,timeo=10,intr
 ,rw,tcp,rsize=32768,wsize=32768,defaults   # for e.g. video data

Backup

Tools like rsync, dump or tar don't support acl backup at time of this writing. This will change in future.

If you like to backup directories or files with acl's, you have to use the star (a tar clone) backup utility.

Backup

cd /home
star -Hexustar -acl -c f=exchange.star exchange

Restore

star -acl -x f=exchange.star

Desktop

OpenOffice.org

Don't use OpenOffice own file - open/save dialogs. This is changed in Extras->Options->Defaults.

Gnome Nautilus

ACLs are not shown in nautilus when using an nfs share.