MostlyChris

Thoughts that are my own.

File Access Control List

Lets suppose you have a shared httpdocs directory on your server in which you would like to have your developers gain access. However, there is going to be more than one developer and each one will have their own login credentials. This becomes a problem because of file ownership permissions. If one developer has uploaded a file, the others are not going to be able to access it.

Along comes setfacl to the rescue.

Let’s assume with have two users and the usernames they login as are john and jane. You want john and jane to both be able to upload files to the directory as well as access each others files.

Since there are different ways to approach this, I am going to use what I call the “per user” version. In this version, you add each user individually.

To add the username john:

setfacl -m u:john:rwx httpdocs/

To add the username jane:

setfacl -m u:jane:rwx httpdocs/

If there are existing files in the httpdocs directory that you want them both to have access to, you would run this recursively with the -R flag.

So now that the files and the directory are set to allow john and jane access, you want to set the directory so that any new files that are created are set with default facls that allow john and jane access. This is similar to the above commands except you add the -d flag as well. It should look like this:

For john

setfacl -d -m u:john:rwx httpdocs/

For jane

setfacl -d -m u:jane:rwx httpdocs/

You can see the results of the setfacl with getfacl. The output of getfacl httpdocs would look something similar to this:

getfacl

#getfacl httpdocs/
#file: httpdocs 
#owner: directory_owner
#group: group_of_owner
user::rwx
user:john:rwx
user:jane:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:jane:rwx
default:group::r-x
default:mask::rwx
defaul:other::---

Don’t forget to change the group.

chmod g+s httpdocs

That’s it. John and Jane can access all files in the folder as well as create files that are then accessible by both of them.

Comments