1 / 23

Access Control Lists (ACLs)

Access Control Lists (ACLs). Purpose To grant other users permission to access/modify files and/or directories To deny access to the files/directories to the rest of the world. To grant permission: setfacl. Note: Must be logged into ub for setfacl to work.

wan
Télécharger la présentation

Access Control Lists (ACLs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists (ACLs) • Purpose • To grant other users permission to access/modify files and/or directories • To deny access to the files/directories to the rest of the world

  2. To grant permission: setfacl • Note: Must be logged into ub for setfacl to work. • Setfacl needs access to a password file to give access to a certain user. • If logged onto CSdev machines, setfacl looks in the local password file and fails to find the user.

  3. The setfacl command • For granting a user read permission for a file, the entry looks like • user:jtorgers:r-- • This only works if the mask entry allows it.

  4. The mask entry • Makes it easy to turn off/on permission simultaneously for multiple users • The effective permission is the AND operation applied to the user entry and mask entry • If user entry is r-- and mask is rw-, effective permission is r-- • If user entry is r-- and mask is ---, effective permission is --- (no permission)

  5. Setfacl for directories • Using setfacl to set permissions for a directory causes all files and directories in that directory to have the same permissions as that directory.

  6. Viewing current permissions: getfacl • getfacl filename • shows: • owner of file • permissions for user, group, other • all users who have access • mask entry • effective permissions • default permissions

  7. Permission for a file ub.d.umn.edu14% setfacl -m u:jtorgers:r-- test2 (-m means modify) • grants user jtorgers read permission for file test2

  8. Current permissions for a file ub.d.umn.edu3% getfacl test2 # file: test2 # owner: kvanhorn # group: student user::rw- user:jtorgers:r-- #effective:--- group::--- #effective:--- mask:--- other:--- Need to set mask entry in order for read permissions to be effective

  9. Mask entry for file permission • Effective permission for jtorgers is now r-- ub.d.umn.edu14% setfacl -m m:r-- test2

  10. File permissions ub.d.umn.edu5% getfacl test2 # file: test2 # owner: kvanhorn # group: student user::rw- user:jtorgers:r-- #effective:r-- group::--- #effective:--- mask:r-- other:---

  11. Permissions for a directory ub.d.umn.edu14% setfacl -m u:jtorgers:rwx test2dir • Grant user jtorgers access to directory test2dir • Since mask is not set, effective permissions will still be ---

  12. Permissions for a directory ub.d.umn.edu7% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:--- group::--- #effective:--- mask:--- other:---

  13. Mask entry for a directory ub.d.umn.edu14% setfacl -m m:rwx test2dir • Now jtorgers can access directory test2dir

  14. Permissions for a directory ub.d.umn.edu9% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:rwx group::--- #effective:--- mask:rwx other:---

  15. Setting defaults for a directory ub.d.umn.edu10% setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx test2dir • Sets defaults for all files and directories created in test2dir in the future • All 4 defaults must be set here (user, group, other, mask)

  16. Defaults for a directory ub.d.umn.edu11% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:rwx group::--- #effective:--- mask:rwx other:--- default:user::rwx default:group::--- default:mask:rwx default:other:---

  17. Set permissions for another user ub.d.umn.edu12% setfacl -m d:u:jtorgers:rwx test2dir • jtorgers is now able to create files in the directory test2dir

  18. Permissions for another user ub.d.umn.edu13% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:rwx group::--- #effective:--- mask:rwx other:--- default:user::rwx default:user:jtorgers:rwx default:group::--- default:mask:rwx default:other:---

  19. Accessing another user’s files • jtorgers can log in and go to kvanhorn’s test2dir and create a file called “stuff” • However, jtorgers must grant kvanhorn permission to access the file “stuff” ub.d.umn.edu14% setfacl -m u:kvanhorn:rw- stuff Note: the mask default was already set

  20. Restoring permissions for a modified file • If jtorgers uses emacs to modify and save her own file “stuff”, the ACLs of the new version will be different • kvanhorn will not have access to “stuff”, but kvanhorn can still access the old version of “stuff” which is now “stuff~” • ACLs of “stuff” can be restored by ub.d.umn.edu14% getfacl stuff~ | setfacl -f - stuff

  21. Changing the way files are saved • Can redefine the way files are saved so a previous version “stuff~” isn’t created • The ACLs for the newly modified version will remain the same as before • Add the following lines to .emacs: (fset 'my-save "\C-[0\C-[xsave-buffer\C-m") (global-set-key "\C-x\C-s" 'my-save)

  22. Avoiding the need for restoring files • Divide the project tasks among team members so each person works on different files. • Only share directories to make and run programs.

  23. Avoiding concurrent writing to files • In emacs, if user tries to open a file currently being modified by someone else, emacs states that a process of the file is running somewhere else, then asks the user if they want to “steal” the file. • Simple solution: don’t!! • Better method for avoiding concurrent writing: RCS

More Related