26.10. Editing File ACLs
Standard UNIX file permissions and ownership are a simple way of controlling who can access a file, but are not very flexible. A superior alternative that is available on many operating systems is POSIX ACLs. POSIX is a set of standards that applies to many UNIX systems, and ACL stands for Access Control List. By setting up an ACL for a file, you can grant permissions to additional users or groups in addition to the normal owner and group. When editing the ACL for a directory, defaults for newly created files in that directory can be set as well.
The xfs filesystem type on Irix and Linux includes ACL support, as do ufs filesystems on Solaris. If you have the right kernel patches installed, ext2 and ext3 filesystems on Linux can support ACLs as well. Fortunately, they are implemented in an almost identical way on all operating systems, so the user interface in Webmin for editing them is the same.
An access control list contains at least four entries, each of which grants some permissions to a user or group. The permissions granted by each entry are the same as those set by the chmod command—read, write, and execute/list. The default ACL for a file contains entries for its owner user, owner group, and other UNIX users. These are exactly the same as the permissions granted to user, group, and others by chmod and the Info window in the file manager.
One special entry that appears in all ACLs is the mask, which defines the maximum permissions that can be granted to the group owner and to any other users (except the file's owner). Because the mask limits the permissions that can be granted by other entries, you will often need to change it to achieve the desired effect from your ACL. Exactly one mask entry must exist in every ACL.
The most commonly used ACL entry is one that that grants permissions to a UNIX user other than the owner. Similarly, entries that grant permissions to another group can also be defined. There is no limit on the number of such entries that can be created.
The ACL for a directory can include several special default entries that determine the initial ACL of any file created in the directory. Default user, group, and mask entries can be created, and the default user and group can apply to either a specific user or the owner of the file. On most operating systems, if you create any defaults you must create entries for at least the default user owner, default group owner, and default mask.
At the shell prompt, the commands getfacl and setfacl are used on Linux and Solaris to view and change ACLs, respectively. On Irix, the ls –D command is used to display ACLs and the chacl command is used to set them. Webmin will call these commands on the server whenever the file manager is used to view or change the ACL of a file.
To edit the ACL for a file or directory, follow these steps:
1. | Select the file from the list in the file manager's right-hand pane, and click the ACL button on the toolbar. This will bring up a window listing all existing ACL entries, as shown in Figure 26.3. Figure 26.3. The ACL window.
|
2. | To add a new entry, select its type from the menu next to the Add ACL
of type button before clicking it. This will bring up another window for entering the user or group to which the entry applies, and the permissions that they are granted. An ACL can only have one mask or default mask entry, so if either is chosen when one already exists, an error message will be displayed. |
3. | For user or group ACL entries, you must fill in the Apply to field with the name of the user or group to which the permissions are being granted. For default user or default group entries, the Apply to field can be set to the File owner option, or the name of a user or group can be entered. In the former case, the permissions will apply to the owner or group of any new file created in the directory. In the latter, they will be granted to the entered user or group. For mask ACL entries, there is no field for choosing to whom they apply. |
4. | In the Permissions field, check those permissions that you want granted to the user or group. These have the same meaning as those set by the chmod command in the window described in Section 26.5 “Editing File Permissions”. |
5. | Click the Save button to have the new ACL entry added the list in the ACL window. It will not, however, be saved to the server yet. |
6. | To edit an existing ACL entry, just double-click on its row in the list. You can change the user or group to which it applies (if any) and the permissions, but not the type. Click the Save button to keep your changes or the Delete button to remove the entry from the list. Not all types of ACL entry can be deleted—only those that grant permissions to a specific user or group or the various default types for a directory. |
7. | Finally, click the Save button at the bottom of the ACL window to have the ACL applied to the file on the server. Because not all combinations of entries are valid on all operating systems, an error message may be displayed if your ACL is incorrect in some way. If this happens, either fix the problem or use the Cancel button to discard your changes. |
