wiki:access/UsingAccessControlListsForSharedAccessFS

Using access control lists for managing shared access file systems /projects/access and /data/projects/access


[8/10/12] azs work in progress, to be further updated. Contributions welcome.


What is ACL

In the context of unix/linux, ACL (Access Control Lists) are enhancements
to regular unix file permissions which are fairly limited.

In general, there are similarities between ACL implementation for Windows
system, OSX and unix/linux, but implementation may vary even across
different linux distributions.

From "man acl" on vayu, following are ACL functions available:

...

POSIX 1003.1e FUNCTIONS BY AVAILABILITY

The first group of functions is supported on most systems with POSIX-like access control lists, while the sec- ond group is supported on fewer systems. For applications that will be ported the second group is best avoided.

acl_delete_def_file(3), acl_dup(3), acl_free(3), acl_from_text(3), acl_get_fd(3), acl_get_file(3), acl_init(3), acl_set_fd(3), acl_set_file(3), acl_to_text(3), acl_valid(3)

acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_copy_entry(3), acl_copy_ext(3), acl_copy_int(3),[axs599, 9/10/2012] Add External Links section

acl_create_entry(3), acl_delete_entry(3), acl_delete_perm(3), acl_get_entry(3), acl_get_permset(3), acl_get_qualifier(3), acl_get_tag_type(3), acl_set_permset(3), acl_set_qualifier(3), acl_set_tag_type(3), acl_size(3)

LINUX EXTENSIONS

These non-portable extensions are available on Linux systems.

acl_check(3), acl_cmp(3), acl_entries(3), acl_equiv_mode(3), acl_error(3), acl_extended_fd(3), acl_extended_file(3), acl_from_mode(3), acl_get_perm(3), acl_to_any_text(3)

...

POSIX 1003.1e FUNCTIONS BY CATEGORY

ACL storage management

acl_dup(3), acl_free(3), acl_init(3)

ACL entry manipulation

acl_copy_entry(3), acl_create_entry(3), acl_delete_entry(3), acl_get_entry(3), acl_valid(3)

acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_delete_perm(3), acl_get_permset(3), acl_set_permset(3)

acl_get_qualifier(3), acl_get_tag_type(3), acl_set_qualifier(3), acl_set_tag_type(3)

ACL manipulation on an object

acl_delete_def_file(3), acl_get_fd(3), acl_get_file(3), acl_set_fd(3), acl_set_file(3)

ACL format translation

acl_copy_entry(3), acl_copy_ext(3), acl_from_text(3), acl_to_text(3), acl_size(3)


vayu> apropos acl
acl                  (5)  - Access Control Lists
acl                 (rpm) - Access control list utilities.
chacl                (1)  - change the access control list of a file or directory
getfacl              (1)  - get file access control lists
libacl              (rpm) - Dynamic library for access control list support.
setfacl              (1)  - set file access control lists
smbcacls             (1)  - Set or get ACLs on an NT file or directory names
vfs_gpfs             (8)  - gpfs specific samba extensions like acls and prealloc

For more information, also see:

https://access-svn.nci.org.au/trac/access/wiki/AccessControlLists
Should also see:
https://access-svn.nci.org.au/trac/access/wiki/AccessFS

Misc WWW refs
http://en.wikipedia.org/wiki/Access_control_list
and http://www.linuxquestions.org/questions/linux-security-4/what-is-unix-permissions-and-acls-897341/




Proposed ACL for ~access



Currently (8/10/2012, 3pm) this is how ~access/ looks

vayu> ls -ltF ~access
total 92
drwxr-x--- 24 access access 4096 Oct  5 11:32 umdir/
drwxr-x---  4 access access 4096 Oct  3 10:44 bom/
drwxrwx---  2 access access 4096 Oct  3 10:38 scripts/
drwxrwx---  2 access access 4096 Oct  3 10:38 bin/
drwxr-x--- 11 access access 4096 Oct  2 11:01 rose/
drwxr-x---  6 access access 4096 Sep 20 12:57 CABLE-AUX/
drwxr-x---  5 access access 4096 Sep 12 15:19 umui_jobs/
drwxr-x---  3 access access 4096 Sep  6 15:00 modules/
lrwxrwxrwx  1 access access   47 Sep  4 15:01 PyNIO-1.4.1 -> /data/projects/access/unsorted-home/PyNIO-1.4.1/
drwxr-s---  5 access access 4096 Sep  4 14:58 tempCABLE-AUX/
drwxr-x---  6 access access 4096 Jul 26 14:27 drhook/
drwxr-x---  5 access access 4096 Mar 16  2012 archive/
drwxr-x---  4 access access 4096 Mar 15  2012 cmip5/
drwxr-x---  4 access access 4096 Jan 20  2012 oasis3/
drwxr-x---  4 access access 4096 Jan 16  2012 exp/
drwxr-x---  5 access access 4096 Jan 10  2012 lamposvn4.0/
drwxr-x---  3 access access 4096 Jan  4  2012 work/
drwxr-x---  7 access access 4096 Dec  9  2011 um_nesting/
-rw-r-x---  1 access access  644 Oct  7  2011 access.module*
-rw-r-x---  1 access access  644 Oct  5  2011 access.module_05102011*
drwxr-x---  4 access access 4096 Sep 26  2011 ancil.vn7.9/
drwxr-x---  3 access access 4096 Sep  8  2011 cap/
drwxr-x---  3 access access 4096 May  7  2010 src/
drwxr-x---  3 access access 4096 Apr 22  2010 lib/

It is proposed that each subdirectory should be owned by an
individual user rather than user "access".

A.Sulaiman propose creation of group "accessadm".

In general, each subdirectory can be made writeable by
group "accessadm" and readable by "access", but this is flexible.
Subdirectories may be made writeable only by a single user, or
a small set of individually selected user.

To further help in understanding contents, as much as possible
readme files describing directories and files should be liberally
added.

Quota issues resulting from the above proposal will be addressed.

Last modified 6 years ago Last modified on Oct 10, 2014 2:28:48 PM