wiki:access/AccessControlLists

Access Control Lists


Scott Wales email forward of David Singleton's notes on file permission access control lists.


Hi folks,

Here's some information from David Singleton on how to do more sophisticated access control on the filesystem. This may be valuable in letting people administer specific programs without having to need to login as access.

Scott

Scott Wales, Computational Modelling Support School of Earth Sciences, The University of Melbourne, Australia 3010 scott.wales@… / P +61 3 8344 6907 / M 0450 012 907

From: Apache [apache@…] on behalf of David Singleton for help [climate_help-comment@…] Sent: Thursday, 6 September 2012 4:23 PM Subject: [Comment] Re: [nf.nci.org.au #33380] CMIP5: tas monthly historical and RCPs

https://sf.anu.edu.au:8443/Ticket/Display.html?id=33380 This is a comment. It is not sent to the Requestor(s):

On 09/06/2012 04:09 PM, Scott Wales for help wrote:

https://sf.anu.edu.au:8443/Ticket/Display.html?id=33380 This is a comment. It is not sent to the Requestor(s):

Hi David,

Would you be able to go over how to use the access control lists when you get back from holidays, or is there some documentation already up on the nci website?

Scott

Hi Scott,

Here's a previous email to helpers. I would imagine having an install group (with rw? perms) and an access (as in read) group (with r-? perms) for any "shared" directories.

Cheers David


Subject: ACLs Date: Wed, 11 Jul 2012 10:52:56 +1000 From: David Singleton <David.Singleton@…> Reply-To: David.Singleton@… Organization: ANUSF To: helpers@sf

We have numerous problems related to permissions and I would like to understand how many are solvable by ACLs and how painful/difficult to support these might be. I can see applications in /short, /apps, /projects and possibly even /home. ACLs (access control lists) are enabled on /g/data for z00 users to test. I am interested in enabling them on nearly all filesystems.

The relevant commands are getfacl and setfacl. There is also a comprehensive acl man page. You can run getfacl on any file

vayu1:/g/data/z00/dbs900 > ls -ld proj_dir 4 drwxrwx--- 2 dbs900 z00 4096 Jul 11 10:30 proj_dir/

vayu1:/g/data/z00/dbs900 > getfacl proj_dir/ # file: proj_dir # owner: dbs900 # group: z00 user::rwx group::rwx other::---

You can read the setfacl man page but here is a simple example:

# Let c23 users read (actually needs perm above too) vayu1:/g/data/z00/dbs900 > setfacl -m g:c23:rx proj_dir/

# Note the "+" vayu1:/g/data/z00/dbs900 > ls -ld proj_dir 4 drwxrwx---+ 2 dbs900 z00 4096 Jul 11 10:30 proj_dir/

vayu1:/g/data/z00/dbs900 > getfacl proj_dir/ # file: proj_dir # owner: dbs900 # group: z00 user::rwx group::rwx group:c23:r-x mask::rwx other::---

# More useful are default ACLs set with -d

vayu1:/g/data/z00/dbs900 > setfacl -d -m g:c25:rx proj_dir/

vayu1:/g/data/z00/dbs900 > getfacl proj_dir/ # file: proj_dir # owner: dbs900 # group: z00 user::rwx group::rwx group:c23:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:c25:r-x default:mask::rwx default:other::---

# ... because they get inherited

vayu1:/g/data/z00/dbs900 > mkdir proj_dir/sub_dir

vayu1:/g/data/z00/dbs900 > getfacl proj_dir/sub_dir # file: proj_dir/sub_dir # owner: dbs900 # group: z00 user::rwx group::rwx #effective:r-x group:c25:r-x mask::r-x other::--- default:user::rwx default:group::rwx default:group:c25:r-x default:mask::rwx default:other::---

Some uses ...

For /short:

  • (no acls) give projects the option of making their directories world readable

rwxrwxr-x root proj_grp /short/proj

with strong suggestion they create

rwxrwxr-x root proj_grp /short/proj/public

and make all else rwxrwx---

  • optionally, create a "project read group" (proj_read_grp) and use acls to limit non-write access to that group:

rwxrwx--- root proj_grp /short/proj

setfacl -d -m g:proj_read_grp:rx /short/proj

Using a group name like $PROJECT"_r" I'd say ua6

For /data/projects and /projects (as they are on vayu now):

  • use ACLs liberally. For example, for the "access" directory, create a limited access (ACL sense) group "access_w" that contains the installers and leave the "access" group as the read group.

For /apps:

  • use the group apps (install group already created) for just about everything
  • default permissions are

rwxrwxr-x user apps

  • for restricted access directories, use

rwxrwx---+ user apps

and

setfacl -d -m g:softwaregroup:rx dir

  • we could also have, for example, a csiro_apps group if necessary

Any feedback welcome.

David

Last modified 6 years ago Last modified on Oct 10, 2014 2:25:47 PM