ACL - Access Control List

Access Control Lists (ACLs) provide a much more flexible way of specifying permissions on a file or other object than the standard Unix user/group/owner system. Windows NT and above, when running on an NTFS partition, use ACLs to specify permissions on files and directories. This document attempts to show how you can enable ACL support on your Linux box and use Samba to provide an SMB file server for use by machines in a Windows 2000 domain.

ACLs are best stored in the actual file system itself. To that end, there are patches available for ext2 and ext3 that enable ACL support using Extended Attributes (EAs). SGI’s XFS also has ACL support built in, but XFS is not currently covered in this document.

Fully patched Kernel version 2.4 or 2.6

Having the ACL utilities

Having a slightly modified version of file utils.

We are going to work with kernel version 2.6 because 2.6 series of kernels makes some attempts to standardise the ACL methods.

Verifying Kernel support for ACL

Checking log files

#cat /boot/config-2.6.15.1-386 | grep _ACL

This should give the below results

CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y

#apt-get install acl

Activating ACL support in a partition (Ext3)

By default kernel version 2.6 supports ext2, ext3, jfs, xfs filesystems for ACL

If you have already partition(ex:-hda6) in your hard disk you need to use the following command

#mount -o remount,acl /dev/hda6

Now we need to modify the /etc/fstab file and add the ACL options

/dev/hda6 / ext3 {{acl}},defaults,errors=remount-ro 0 1

In Order to use ACL under linux you need to use two commands setfacl and getfacl

Now we will see each one with an example

If you want to get the ACL of test.acl file you need to enter the following command

#getfacl test.acl

If you want to add user(u) ruchi with write(w) access on test.acl file you need to enter the following command

#setfacl -m u:ruchi:w test.acl

If you want to add group(g) root with read® access on test.acl file you need to enter the following command

#setfacl -m g:root:w test.acl

If you want to add others(o) with read® access on test.acl file you need to enter the following command

#setfacl -m o::r test.acl

If you want more options check man page of setfacl and man page of getfacl

If you want to configure safeguard with ACL you need to install star package

Star supports several tar archive formats (including ustar, GNU tar and new POSIX format). It’s faster than other tar implementations due to advanced buffering.

Star is also the only tar implementation under Linux capable of archiving Access Control Lists.

#apt-get install star

The basic ACL utilities you will want are `getfacl’ and `setfacl’. If you havn’t already got them, you can get them from http://acl.bestbits.at/ . Debian they are in the package acl. Debian also has an `acl-dev’ which contains the libraries and headers and such.