[kwlug-disc] Access rights to file/folder
rashkae at tigershaunt.com
Thu Jul 29 08:07:08 EDT 2010
John Van Ostrand wrote:
>> man setfacl
>> man getfacl
> Before using those consider a few things. Even in Windows the use of ACLs can get admins into a great deal of trouble. Usually the trouble is a mess of files with poorly defined rights. Admins are afraid to touch things for fear of ruining something. Last I administered a Windows server the defined practice was to create a resource group and assign it to a folder/share. Then I assign users or user groups to the resource group. It makes sense in that it defines the data type, like "Legal Documents" or "HR Records" and then when mapping permissions you would say "Lawyers" have access to "Legal Documents" and "HR Managers" have access to "HR Documents". It's all set in one spot.
> We've been able to do everything we want with standard Posix permissions and all the backup tools work with it and the permissions don't end up messy.
> I haven't figured out how to do inheritance with acls. Red Hat calls them collaboration directories, where any file written can be accessed by other users in a specific way.
> If I have two users alice (group local) and bob (group remote) need to share files they create. Using standard Posix permissions we would add them to a third group (say legal_data) and assign that group to the directory and give the directory group write and a sticky bit (chmod g+w,+t). The user's umasks would have to be 00? and then any file Alice writes Bob and read and write.
> How is that done with ACLs?
How does that even work? Sticky bit, as far as I know, prevents Bob
from deleting files he does not have write permission to, (even though
he has write permission to the directory.) In Linux, the sticky bit
does not inherit group ownership to new files. (Any new file created by
Alice would need to have the group changed for Bob to have write access.
The exception is when you are creating files over Samba which is
configured to inherit parent group.) Also, changing the user's umask
imposes other limitations, when you only intend the change to affect one
directory tree. ACL is by far the better solution to this scenario.
More information about the kwlug-disc_kwlug.org