[kwlug-disc] Access rights to file/folder

John Van Ostrand john at netdirect.ca
Wed Jul 28 16:16:32 EDT 2010 

----- Original Message -----
> Excerpts from Raul Suarez's message of Wed Jul 28 15:10:00 -0400 2010:
> > In Windows you can select who has access to a file/folder, by
> > selecting either ACLs (groups) or user IDs from the local computer
> > or the domain.
> >
> > In Linux, as far as I know, each file belongs to ONE user and ONE
> > group. So if you need access, you are either the user-owner or you
> > get added to the owner-group.
> >
> > Is there a way in Linux to grant access to a specific file for a
> > specific user without making it member of the owner-group
> >
> > Or alternatively: how is the fine-grain access problem solved under
> > Linux?
> 
> man setfacl
> man getfacl

Before using those consider a few things. Even in Windows the use of ACLs can get admins into a great deal of trouble. Usually the trouble is a mess of files with poorly defined rights. Admins are afraid to touch things for fear of ruining something. Last I administered a Windows server the defined practice was to create a resource group and assign it to a folder/share. Then I assign users or user groups to the resource group. It makes sense in that it defines the data type, like "Legal Documents" or "HR Records" and then when mapping permissions you would say "Lawyers" have access to "Legal Documents" and "HR Managers" have access to "HR Documents". It's all set in one spot.

We've been able to do everything we want with standard Posix permissions and all the backup tools work with it and the permissions don't end up messy.

I haven't figured out how to do inheritance with acls. Red Hat calls them collaboration directories, where any file written can be accessed by other users in a specific way. 

If I have two users alice (group local) and bob (group remote) need to share files they create. Using standard Posix permissions we would add them to a third group (say legal_data) and assign that group to the directory and give the directory group write and a sticky bit (chmod g+w,+t). The user's umasks would have to be 00? and then any file Alice writes Bob and read and write.

How is that done with ACLs?

-- 
John Van Ostrand 
CTO, co-CEO 
Net Direct Inc. 
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6 
Ph: 866-883-1172 x5102 
Fx: 519-883-8533 

Linux Solutions / IBM Hardware

More information about the kwlug-disc mailing list