Use Case

Peter, Paul and Mary are working with one directory tree. They share, use and edit the same files. They all belong to the system group users. But the directory the should be able to write on belongs to the group exchange.

/home   |
        /exchange  |
                   /peters_subdir |
                                  /peters_file.txt
                   /pauls_subdir  |
                                  /pauls_file.odf
                   maries_file.doc

Links

• Indiana University Dep. of Comupter Science
• Using ACLs with Fedora Core 2 (Linux Kernel 2.6.5)
• Very good article that sum's up the most common problems Ubuntu Forum
• German - Was ist die umask? Wie kann ich sie festlegen?
• German - Wie nutzt man ACLs (Access Control Lists) richtig?

Distribution specific

SuSE

Works out of the box (10.3).

Redhat

Works out of the box.

Ubuntu

• NFS server with acl won't work until now with ubuntu
• the following is theory --Apos 01:09, 27 November 2007 (CET)

Pure acl

All filesystems (ext2/3, xfs, reiserfs) are compiled using acl's by default. You only have to mount them with defaults,acl in your /etc/fstab.

To use ACLs in ubuntu do

apt-get install acl

nfs (server) and acl

At first be advised that ubuntu until now (--Apos 19:04, 26 November 2007 (CET)) does not support nfs/acl by default. The kernel is not compiled with nfs/acl support.

To use nfs/acl you have to compile a custom kernel.

• Please see Howtoforge How To Compile A Kernel - The Ubuntu Way or Linux_Kernel#Ubuntu.

Configure the ubuntu kernel

make menuconfig

Go the according subdirectories and enable the ACL support both in NFSv3 file system and server

 File systems  --->  
   Network File Systems  ---> 
        <M> NFS file system support
        [*]   Provide NFSv3 server support
     >> [*]     Provide client support for the NFSv3 ACL protocol extension
        <M> NFS server support
        [*]   Provide NFSv3 server support
     >> [*]     Provide server support for the NFSv3 ACL protocol extension

Exit the application after saving .config.

Build the custom kernel

Now we are ready to compile the kernel and kernel_headers:

make-kpkg clean
fakeroot make-kpkg --initrd --append-to-version=-nfs3-with-acl-support kernel_image kernel_headers

Use it

Enable ACL

On some distributions, filesystems are already compiled with acl support. This is the case e.g. for xfs or reiserfs. Otherwise - and this is always wise - enable the ACL's in fstab explicitly:

/etc/fstab
/home   /dev/hdx   ext3   defaults,acl   1 2

Create a new group exchange

Create the new group exchange. In some cases it could be wise to create a user with the same name too, with its own home directory and the default group exchange.

Don't forget to set the default group for the userexchange, when you create it.

chgrp exchange /home/exchange/
chmod g+s /home/exchange

Add ACL support

Changing the default umask for the certain directory and all subdirectories

setfacl -d -m mask:007 /home/exchange/

Optional: You can also additionally do

setfacl -dm g:exchange:rwx /home/exchange

Now every file from any user accessing this directory will be readably/writable for the group exchange.

Useful scripts

Cycle through directories and change all subdirectories/files

# /bin/bash
# /root/bin/change_rights.sh
cd /home/exchange
chmod -R 660 * 
chown -R exchange:exchange *   # ATTENTION
find . -type d -exec chmod ug+x {} \;

Cron job

nohup /root/bin/change_rights.sh 1>/dev/null 2>&1 &

Remove ACLs

sudo setfacl -b /directory/to/remove/permissions/from

Samba

Prepare the directory

chown exchange.exchange /home/exchange
chmod 2775 /home/exchange
sudo setfacl -d --set u::rwx,g::rwx,o::rx /home/exchange

smb.conf

[exchange]
path = /home/exchange
browseable = yes
writable = yes
create mask = 0664
directory mask = 0775

NFS

At the time of writing this NFS and ACL not well supported under ubuntu.

Change your fstab mount options. Important is to add acl in the options part.

nfs_server:/home/exchange /home/your_account/exchange  nfs \
        rw,acl[,...]  0 0

Manually mount like this:

mount -t nfs -o rw,acl[,...] \
    nfs_server:/home/exchange /home/your_account/exchange

[,...] stands for e.g. one of these mount options

 ,rsize=8192,wsize=8192,user,timeo=10,intr
 ,rw,tcp,rsize=32768,wsize=32768,defaults   # for e.g. video data

Backup

Tools like rsync, dump or tar don't support acl backup at time of this writing. This will change in future.

If you like to backup directories or files with acl's, you have to use the star (a tar clone) backup utility.

• Star ACL

Backup

cd /home
star -Hexustar -acl -c f=exchange.star exchange

Restore

star -acl -x f=exchange.star

Desktop

OpenOffice.org

Don't use OpenOffice own file - open/save dialogs. This is changed in Extras->Options->Defaults.

Gnome Nautilus

ACLs are not shown in nautilus when using an nfs share.