Access Control Lists ACLs Purpose To grant other

  • Slides: 23
Download presentation
Access Control Lists (ACLs) �Purpose �To grant other users permission to access/modify files and/or

Access Control Lists (ACLs) �Purpose �To grant other users permission to access/modify files and/or directories �To deny access to the files/directories to the rest of the world

To grant permission: setfacl �Note: Must be logged into ub for setfacl to work.

To grant permission: setfacl �Note: Must be logged into ub for setfacl to work. �Setfacl needs access to a password file to give access to a certain user. �If logged onto CSdev machines, setfacl looks in the local password file and fails to find the user.

The setfacl command �For granting a user read permission for a file, the entry

The setfacl command �For granting a user read permission for a file, the entry looks like �user: jtorgers: r-�This only works if the mask entry allows it.

The mask entry �Makes it easy to turn off/on permission simultaneously for multiple users

The mask entry �Makes it easy to turn off/on permission simultaneously for multiple users �The effective permission is the AND operation applied to the user entry and mask entry �If user entry is r-- and mask is rw-, effective permission is r-�If user entry is r-- and mask is ---, effective permission is --- (no permission)

Setfacl for directories �Using setfacl to set permissions for a directory causes all files

Setfacl for directories �Using setfacl to set permissions for a directory causes all files and directories in that directory to have the same permissions as that directory.

Viewing current permissions: getfacl �getfacl filename �shows: �owner of file �permissions for user, group,

Viewing current permissions: getfacl �getfacl filename �shows: �owner of file �permissions for user, group, other �all users who have access �mask entry �effective permissions �default permissions

Permission for a file ub. d. umn. edu 14% setfacl -m u: jtorgers: r--

Permission for a file ub. d. umn. edu 14% setfacl -m u: jtorgers: r-- test 2 (-m means modify) �grants user jtorgers read permission for file test 2

Current permissions for a file ub. d. umn. edu 3% getfacl test 2 #

Current permissions for a file ub. d. umn. edu 3% getfacl test 2 # file: test 2 # owner: kvanhorn # group: student user: : rwuser: jtorgers: r-#effective: --group: : --#effective: --mask: --other: --Need to set mask entry in order for read permissions to be effective

Mask entry for file permission ub. d. umn. edu 14% setfacl -m m: r--

Mask entry for file permission ub. d. umn. edu 14% setfacl -m m: r-- test 2 �Effective permission for jtorgers is now r--

File permissions ub. d. umn. edu 5% getfacl test 2 # file: test 2

File permissions ub. d. umn. edu 5% getfacl test 2 # file: test 2 # owner: kvanhorn # group: student user: : rwuser: jtorgers: r-#effective: r-group: : --#effective: --mask: r-other: ---

Permissions for a directory ub. d. umn. edu 14% setfacl -m u: jtorgers: rwx

Permissions for a directory ub. d. umn. edu 14% setfacl -m u: jtorgers: rwx test 2 dir �Grant user jtorgers access to directory test 2 dir �Since mask is not set, effective permissions will still be ---

Permissions for a directory ub. d. umn. edu 7% getfacl test 2 dir #

Permissions for a directory ub. d. umn. edu 7% getfacl test 2 dir # file: test 2 dir # owner: kvanhorn # group: student user: : rwx user: jtorgers: rwx #effective: --group: : --#effective: --mask: --other: ---

Mask entry for a directory ub. d. umn. edu 14% setfacl -m m: rwx

Mask entry for a directory ub. d. umn. edu 14% setfacl -m m: rwx test 2 dir �Now jtorgers can access directory test 2 dir

Permissions for a directory ub. d. umn. edu 9% getfacl test 2 dir #

Permissions for a directory ub. d. umn. edu 9% getfacl test 2 dir # file: test 2 dir # owner: kvanhorn # group: student user: : rwx user: jtorgers: rwx #effective: rwx group: : --#effective: --mask: rwx other: ---

Setting defaults for a directory ub. d. umn. edu 10% setfacl -m d: u:

Setting defaults for a directory ub. d. umn. edu 10% setfacl -m d: u: : rwx, d: g: : ---, d: o: ---, d: m: rwx test 2 dir �Sets defaults for all files and directories created in test 2 dir in the future �All 4 defaults must be set here (user, group, other, mask)

Defaults for a directory ub. d. umn. edu 11% getfacl test 2 dir #

Defaults for a directory ub. d. umn. edu 11% getfacl test 2 dir # file: test 2 dir # owner: kvanhorn # group: student user: : rwx user: jtorgers: rwx #effective: rwx group: : --#effective: --mask: rwx other: --default: user: : rwx default: group: : --default: mask: rwx default: other: ---

Set permissions for another user ub. d. umn. edu 12% setfacl -m d: u:

Set permissions for another user ub. d. umn. edu 12% setfacl -m d: u: jtorgers: rwx test 2 dir �jtorgers is now able to create files in the directory test 2 dir

Permissions for another user ub. d. umn. edu 13% getfacl test 2 dir #

Permissions for another user ub. d. umn. edu 13% getfacl test 2 dir # file: test 2 dir # owner: kvanhorn # group: student user: : rwx user: jtorgers: rwx #effective: rwx group: : --#effective: --mask: rwx other: --default: user: : rwx default: user: jtorgers: rwx default: group: : --default: mask: rwx default: other: ---

Accessing another user� s files �jtorgers can log in and go to kvanhorn� s

Accessing another user� s files �jtorgers can log in and go to kvanhorn� s test 2 dir and create a file called � stuff� �However, jtorgers must grant kvanhorn permission to access the file � stuff� ub. d. umn. edu 14% setfacl -m u: kvanhorn: rw- stuff Note: the mask default was already set

Restoring permissions for a modified file �If jtorgers uses emacs to modify and save

Restoring permissions for a modified file �If jtorgers uses emacs to modify and save her own file � stuff� , the ACLs of the new version will be different �kvanhorn will not have access to � stuff� , but kvanhorn can still access the old version of � stuff�which is now � stuff~� �ACLs of � stuff�can be restored by ub. d. umn. edu 14% getfacl stuff~ | setfacl -f - stuff

Changing the way files are saved �Can redefine the way files are saved so

Changing the way files are saved �Can redefine the way files are saved so a previous version � stuff~�isn� t created �The ACLs for the newly modified version will remain the same as before �Add the following lines to. emacs: (fset 'my-save "C-[0C-[xsave-bufferC-m") (global-set-key "C-xC-s" 'my-save)

Avoiding the need for restoring files �Divide the project tasks among team members so

Avoiding the need for restoring files �Divide the project tasks among team members so each person works on different files. �Only share directories to make and run programs.

Avoiding concurrent writing to files �In emacs, if user tries to open a file

Avoiding concurrent writing to files �In emacs, if user tries to open a file currently being modified by someone else, emacs states that a process of the file is running somewhere else, then asks the user if they want to � steal�the file. �Simple solution: don� t!! �Better method for avoiding concurrent writing: RCS