Access Control Lists (ACL)

ACLs offer a more flexible way to control file and directory rights than the usual owner-group-other schema in Unix. We use them on the Astro SAN for example. In a nutshell, with ACLs you can set separate permissions for every single user.

Please use ACLs only if really necessary. By design, groupshares are meant to be accessible by the whole group, as the research data should remain accessible, even if individual members leave the group.

Note that the following commands should be executed on one of our managed Linux workstations, for instance login.phys.ethz.ch.

How to detect ACLs

If ls -l looks something like this

drwxrws---+ 4 daduke ast 4.0K 2011-10-28 10:41 test

(note the + sign at the end), then the directory in question has ACL rules applied. You can display them by running

getfacl test

which will show

 # file: test
 # owner: daduke
 # group: ast
 # flags: -s-
user::rwx
user:schmid:rwx
user:kovac:rwx
user:amaraa:rwx
user:geersv:rwx
group::---
mask::rwx
other::---

How to modify ACLs

Usually you just need something like

setfacl -m u:daduke:rw test

to grant read and write permission on file test to user daduke and

setfacl -x u:daduke test

to remove these permissions again. If you need more,

man setfacl

is your friend.

There is also a nice GUI that we have installed on our Linux workstations: eiciel. Start it, open the file or directory you'd like to modify and then edit the users' permissions.