Access Control Lists (ACL)

ACLs offer a more flexible way to control file and directory rights than the usual owner-group-other schema in Unix. We use them on some group shares for example. In a nutshell, with ACLs you can set separate permissions for every single user.

Please use ACLs only if really necessary. By design, group shares are meant to be accessible by the whole group, as the research data should remain accessible, even if individual members leave the group.

Note that the following commands should be executed on one of our managed Linux workstations, for instance login.phys.ethz.ch. You will need to use a different set of tools to view and modify ACLs, depending on how the share is mounted. In most cases the NFSv4 documentation should apply.

How to detect ACLs

If ls -l looks something like this

drwxrws---+ 4 daduke ast 4.0K 2011-10-28 10:41 test

(note the + sign at the end), then the directory in question has ACL rules applied.

How to view and modify ACL over NFSv4

nfs4_getfacl test        # get current acls
nfs4_setfacl -e test     # edit acls in editor

Adapting NFSv4 ACLs from POSIX ACLs

To use bare usernames, they must now be qualified with a domain — for username johndoe (and pretty much every D-PHYS user) this would now be johndoe@phys.ethz.ch You can still use numeric IDs, as before, without resolving them to a domain. For the familiar POSIX permissions shorthands R,W and X exist, to avoid the complexities of the additional granularity offered by NFSv4. Both these features only work when first setting the entry. To modify, you must resolve the result and adjust accordingly.

For example, to add an ACL entry for user johndoe with rwx permissions , you would run:

nfs4_setfacl -a A::johndoe@phys.ethz.ch:RWX /path/to/file

To modify this in-place, to take away the W permissions:

nfs4_getfacl /path/to/file
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1001:rwaxtcy # this is the resolved user id of the user in the previous example
A::1002:rwaxtcy
A::GROUP@:rwatcy
A::EVERYONE@:rtcy

nfs4_setfacl -m A::1001:RWX A::johndoe@phys.ethz.ch:R /path/to/file

The special OWNER@, GROUP@ and EVERYONE@ shorthands are equivalent to the user, group, and other fields in basic POSIX permissions. Always make sure that the result, especially if using any of the aliases (user@domain and the RWX shortcuts), reflects your original intentions.

nfs4_getfacl /path/to/file
D::OWNER@:x
A::OWNER@:rwatTcCy
D::1001:wa
A::1001:rtcy
A::1002:rwaxtcy
A::GROUP@:rwatcy
A::EVERYONE@:rtcy

For more details, please check the manual pages man 5 nfs_acl and man nfs4_setfacl.

And please be aware that, while NFSv4 does offer many more features, it is still possible to access these shares using NFSv3, samba, or directly over the filesystem, where they will be translated to POSIX ACLs, as best as that is possible. Usually as the least permissive intersection of features of both.

phd-san-gw2:~# getfacl /path/to/file/on/actual/filesystem
getfacl: Removing leading '/' from absolute path names
# file: path/to/file/on/actual/filesystem
# owner: janedoe
# group: isg
user::rw-
user:johndoe:r--
user:janedoe:rwx
group::rw-
mask::rwx
other::r--

How to view and modify ACL over NFSv3

If a share is mounted via NFSv3, you can display ACLs by running

getfacl test

which will show

 # file: test
 # owner: daduke
 # group: ast
 # flags: -s-
user::rwx
user:schmid:rwx
user:kovac:rwx
user:amaraa:rwx
user:geersv:rwx
group::---
mask::rwx
other::---

To modify ACLs you just need something like

setfacl -m u:daduke:rw test

to grant read and write permission on file test to user daduke and

setfacl -x u:daduke test

to remove these permissions again. If you need more,

man setfacl

is your friend.

There is also a nice GUI that we have installed on our Linux workstations: eiciel. Start it, open the file or directory you'd like to modify and then edit the users' permissions.