The Blair Robot Project Blog

If you’ve been using unix or linux long enough, you’ve probably found yourself wishing for more powerful permissions management. For example, if your web development group has been cooperating with another group on a somewhat sensitive project, you’ve probably wished you could easily set it so that those two groups – and only those two groups – could read and write to certain files. Or, as in my case, wished that you could allow the web server user to read and write to files without having to mess with any group permissions. ACLs are the tool that lets you do that.

An ACL is simply a list of users and groups, with permissions tied to each. Whereas normal unix file permissions only allow you to specify one user and one group, ACLs allow you to specify as many as you want, and treat them differently. The command to get a file/folder’s ACL is “getfacl” (if your system has it installed).

sclawren@binx:/var/www/robot$ getfacl files
# file: files
# owner: sclawren
# group: robot
user::rwx
group::rwx
group:webmaster:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:webmaster:rwx
default:mask::rwx
default:other::r-x

This list is pretty much self-explanatory. The first three lines are just comments and have no affect whatsoever. There is no way to change them and no need to. The first two lines are just a reflection of the standard unix file permissions for the directory (files). In this case, the files directory has permissions 775 (rwxrwxr-x). The next line is the interesting part -anybody in the webmaster group also has read, write, and execute permissions for this directory. The mask line is rather boilerplate – just keep it as it is and move on. The other line is like the first two. Finally, the last 5 lines are the “default” ACL settings, which are used when new files are created in this directory. Obviously, these will not appear when getfacl is run on files.

The setfacl API is rather simple. In general, use -m and then a line from the ACL file, like g:webmaster:rwx, to modify permissions. If you want to modify the defaults, use -d. If you want your operation to be recursive, use -R. If you want to wipe out the old settings, use -b. If you only want to wipe out a particular setting, use something like -x g:webmaster.

I’ve placed the “access check algorithm”, as taken from the acl man page, below:

     1.   If the effective user ID of the process matches the user ID of the file object owner, then
              if the ACL_USER_OBJ entry contains the requested permissions, access is granted,
              else access is denied.
     2.   else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
              if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
              else access is denied.
     3.   else if the effective group ID or any of the supplementary group IDs of the process match the file group or the qualifier of any entry of
          type ACL_GROUP, then
              if the ACL contains an ACL_MASK entry, then
                  if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain the  requested  permissions,  access  is
                  granted,
                  else access is denied.
              else (note that there can be no ACL_GROUP entries without an ACL_MASK entry)
                  if the ACL_GROUP_OBJ entry contains the requested permissions, access is granted,
                  else access is denied.
         4.   else if the ACL_OTHER entry contains the requested permissions, access is granted.
         5.   else access is denied.

It’s admittedly pretty boring; however, it can be useful to look at if you want to know exactly what would happen in a queer situation. For example, by the ordering of the statements, we can tell that ACLs can be used to deny access to specific users, even if they are in the necessary groups. Always useful to know.

ACLs are by no means perfect. They are not particularly flexible – they are only a simple extension of the standard unix capabilities. They can be somewhat tiring to use, since they are more complicated than normal permissions and still require maintenance when people mess them up. This is aggravated by the fact that many applications pay no attention to ACLs, so that ACLs frequently get corrupted.

Related posts:

• How to Get a Directory Listing in C (POSIX)
• Calling a CGI Script from PHP
• Thursday the 6th
• Thursday April 24
• Fall Training (11/19)