ACL: Need particular permissions for a user not in owner/groupe of a file?

Have you ever needed to grant some users more permissions on some files, but the user doesn’t belong to the owner group?  First, you feel tempted to increase “Others” permission or may be add your user to the owner group: not really what you want? not so secure? Try ACLs :).

ACLs allow you to grant permissions you need to users not belonging to the file’s owner and group without altering Others permissions.

To use ACLs on some files/directories, the partition containg these files should be mounted with acl enabled.

Let’s say, I need to give “admin” user read/write permissions on the file /redologs/mydb/u01/control01.ctl.

as ACLs are not enabled on /redologs, look at my fstab:

cat /etc/fstab | grep redologs

/dev/vgdata/lvredo                /redologs                               ext4        defaults                   1    1

 

First, we need to enable ACL on  /redo_logs by remounting it with acl option. Here we do it on runtime:

mount -o remount,acl    /dev/mapper/vgdate-lvredo      /redologs

Let’s check current permissions before altering the file permissions:

cd /redologs/mydb/u01/

getfacl control01.ctl

#file: control01.ctl

#owner: oracle

#group: oinstall

user::rw-

group::r--

other::---

 

Now, let’s grant our user read/write permission on control01.ctl.

setfacl -m -u:admin:rw   control01.ctl

#file: control01.ctl

#owner: oracle

#group: oinstall

user::rw-

user:admin:rw-

group::r--

mask::rw-

other::---

If you do a ls -l to the file, you will notice the + symbol:

ls -l control01.ctl
-rw-rw----+ oracle oinstall 3198537 Apr 10 14:25 control01.ctl

Connect with admin user and test 🙂

Now, here a brief how-to play with ACLs:

– use getfacl filename to diplay current acl on the file.
– To update or set new ACL on a file, use setfacl as following:

setfacl -m rules filename

where rules are:

u:uid/usernme:permissions(rwx) for a user
g:gid/groupname:permissions(rwx) for a group
o:permissions(rwx) fro other

– To remove all permissions, use -x option:

setfacl -x filename

If you need to remove specific permission, use -x and specify the rule:

setfacl -x rules filename

Well it seems quick :), first time I used ACLs, I as working with Gentoo distribution and I had to recompile the whole kernel with ACL support to be able to use it on my filesystems and restart the server. Not so tempting to your client, no? xD xD

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s