This document shows you how to use the POSIX ACL permissions system. An ACL (access control list) is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group.
These commands are useful for project and scratch dirs located in /fs/proejct, /fs/scratch, /fs/ess.
Understanding POSIX ACL
An example of a basic POSIX ACL would look like this:
# file: foo.txt # owner: tellison # group: PZSXXXX user::rw- group::r-- other::r--
The first three lines list basic information about the file/directory in question: the file name, the primary owner/creator of the file, and the primary group that has permissions on the file. The following three lines show the file access permissions for the primary user, the primary group, and any other users. POSIX ACLs use the basic rwx permissions, explaned in the following table:
Using POSIX ACL
This section will show you how to set and view ACLs, using the setfacl and getfacl commands
Viewing ACLs with getfacl
The getfacl command displays a file or directory's ACL. This command is used as the following
$ getfacl [OPTION] file
Where file is the file or directory you are trying to view. Common options include:
|-a/--access||Display file access control list only|
|-d/--default||Display default access control list only (only primary access), which determines the default permissions of any files/directories created in this directory|
|-R/--recursive||Display ACLs for subdirectories|
|-p/--absolute-names||Don't strip leading '/' in pathnames|
A simple getfacl call would look like the following:
$ getfacl foo.txt # file: foo.txt # owner: user # group: PZSXXXX user::rw- group::r-- other::r--
A recursive getfacl call through subdirectories will list each subdirectories ACL separately
$ getfacl -R foo/ # file: foo/ # owner: user # group: PZSXXXX user::rwx group::r-x other::r-x # file: foo//foo.txt # owner: user # group: PZSXXXX user::rwx group::--- other::--- # file: foo//bar # owner: user # group: PZSXXXX user::rwx group::--- other::--- # file: foo//bar/foobar.py # owner: user # group: PZSXXXX user::rwx group::--- other::---
Setting ACLs with setfacl
The setfacl command allows you to set a file or directory's ACL. This command is used as the following
$ setfacl [OPTION] COMMAND file
Where file is the file or directory you are trying to modify.
Commands and Options
setfacl takes several commands to modify a file or directory's ACL
modify the current ACL(s) of files. Use as the following
setfacl -m u/g:user/group:r/w/x file
read ACL entries to modify from a file. Use as the following
setfaclt -M file_with_acl_permissions file_to_modify
remove entries from ACL(s) from files. Use as the following
setfaclt -x u/g:user/group:r/w/x file
read ACL entries to remove from a file. Use as the following
setfaclt -X file_with_acl_permissions file_to_modify
|-b/--remove-all||Remove all extended ACL permissions|
Common option flags for setfacl are as follows:
|-R/--recursive||Recurse through subdirectories|
|-d/--default||Apply modifications to default ACLs|
|--test||test ACL modifications (ACLs are not modified|
You can set a specific user's access priviledges using the following
setfacl -m u:username:-wx foo.txt
Similarly, a group's access priviledges can be set using the following
setfacl -m g:PZSXXXX:rw- foo.txt
You can remove a specific user's access using the following
setfacl -x user:username foo.txt
Grant a user recursive read access to a dir and all files/dirs under it (notice that the capital 'X' is used to provide execute permissions only to dirs and not files):
setfacl -R -m u:username:r-X shared-dir
Set a dir so that any newly created files or dirs under will inherit the parent dirs facl:
setfacl -d -m u:username:r-X shared-dir
Setting up project space permissions
A common setup for project space is to allow members of the group to read all data, and the PI to have full control of the data. After project space has been created the following commands can be used to setup the project space this way.
In the top level of the project dir, set the permissions so that current and future files are group readable.
Actual project code and PI username should be substituted in place of them.
Also note that project space locations can either be in
/fs/project/PEX1234(Remember to replace PEX1234 with the actual project code).
setfacl -R -m g:PEX1234:r-X /fs/ess/PEX1234 setfacl -Rd -m g:PEX1234:r-X /fs/ess/PEX1234
Next set the permissions so that the PI has read and write permissions.
setfacl -R -m u:ex1234:rwX /fs/ess/PEX1234 setfacl -Rd -m u:ex1234:rwX /fs/ess/PEX1234
This will setup the project dir so that those users that need the data can view it and the PI can properly manage it.