access_UsingAccessControlListsForSharedAccessFS - ACCESS-NRI/accessdev-Trac-archive GitHub Wiki

#!html
<h1 style="text-align: center; color: blue">Using access control lists for managing shared access file systems /projects/access and /data/projects/access</h1>

8e3262e565652ac69b4b02b09b064c4f88b8c8e2 azs work in progress, to be further updated. Contributions welcome.

What is ACL

In the context of unix/linux, ACL (Access Control Lists) are enhancements

to regular unix file permissions which are fairly limited.

In general, there are similarities between ACL implementation for Windows

system, OSX and unix/linux, but implementation may vary even across

different linux distributions.

From "man acl" on vayu, following are ACL functions available:

...

POSIX 1003.1e FUNCTIONS BY AVAILABILITY
 The first group of functions is supported on most systems with POSIX-like access control lists, while the sec-
 ond group is supported on fewer systems.  For applications that will be ported the second group is best
 avoided.

 acl_delete_def_file(3), acl_dup(3), acl_free(3), acl_from_text(3), acl_get_fd(3), acl_get_file(3), acl_init(3),
 acl_set_fd(3), acl_set_file(3), acl_to_text(3), acl_valid(3)

 acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_copy_entry(3), acl_copy_ext(3), acl_copy_int(3),[axs599, 9/10/2012] Add External Links section

 acl_create_entry(3), acl_delete_entry(3), acl_delete_perm(3), acl_get_entry(3), acl_get_permset(3),
 acl_get_qualifier(3), acl_get_tag_type(3), acl_set_permset(3), acl_set_qualifier(3), acl_set_tag_type(3),
 acl_size(3)

LINUX EXTENSIONS These non-portable extensions are available on Linux systems.

 acl_check(3), acl_cmp(3), acl_entries(3), acl_equiv_mode(3), acl_error(3), acl_extended_fd(3),
 acl_extended_file(3), acl_from_mode(3), acl_get_perm(3), acl_to_any_text(3)

...

POSIX 1003.1e FUNCTIONS BY CATEGORY ACL storage management acl_dup(3), acl_free(3), acl_init(3)

 ACL entry manipulation
      acl_copy_entry(3), acl_create_entry(3), acl_delete_entry(3), acl_get_entry(3), acl_valid(3)

      acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_delete_perm(3), acl_get_permset(3),
      acl_set_permset(3)

      acl_get_qualifier(3), acl_get_tag_type(3), acl_set_qualifier(3), acl_set_tag_type(3)

 ACL manipulation on an object
      acl_delete_def_file(3), acl_get_fd(3), acl_get_file(3), acl_set_fd(3), acl_set_file(3)

 ACL format translation
      acl_copy_entry(3), acl_copy_ext(3), acl_from_text(3), acl_to_text(3), acl_size(3)

vayu> apropos acl
acl                  (5)  - Access Control Lists
acl                 (rpm) - Access control list utilities.
chacl                (1)  - change the access control list of a file or directory
getfacl              (1)  - get file access control lists
libacl              (rpm) - Dynamic library for access control list support.
setfacl              (1)  - set file access control lists
smbcacls             (1)  - Set or get ACLs on an NT file or directory names
vfs_gpfs             (8)  - gpfs specific samba extensions like acls and prealloc

For more information, also see:

https://access-svn.nci.org.au/trac/access/wiki/AccessControlLists

Should also see:

https://access-svn.nci.org.au/trac/access/wiki/AccessFS

Misc WWW refs

http://en.wikipedia.org/wiki/Access_control_list

and http://www.linuxquestions.org/questions/linux-security-4/what-is-unix-permissions-and-acls-897341/

Proposed ACL for ~access

Currently (8/10/2012, 3pm) this is how ~access/ looks

vayu> ls -ltF ~access
total 92
drwxr-x--- 24 access access 4096 Oct  5 11:32 umdir/
drwxr-x---  4 access access 4096 Oct  3 10:44 bom/
drwxrwx---  2 access access 4096 Oct  3 10:38 scripts/
drwxrwx---  2 access access 4096 Oct  3 10:38 bin/
drwxr-x--- 11 access access 4096 Oct  2 11:01 rose/
drwxr-x---  6 access access 4096 Sep 20 12:57 CABLE-AUX/
drwxr-x---  5 access access 4096 Sep 12 15:19 umui_jobs/
drwxr-x---  3 access access 4096 Sep  6 15:00 modules/
lrwxrwxrwx  1 access access   47 Sep  4 15:01 PyNIO-1.4.1 -> /data/projects/access/unsorted-home/PyNIO-1.4.1/
drwxr-s---  5 access access 4096 Sep  4 14:58 tempCABLE-AUX/
drwxr-x---  6 access access 4096 Jul 26 14:27 drhook/
drwxr-x---  5 access access 4096 Mar 16  2012 archive/
drwxr-x---  4 access access 4096 Mar 15  2012 cmip5/
drwxr-x---  4 access access 4096 Jan 20  2012 oasis3/
drwxr-x---  4 access access 4096 Jan 16  2012 exp/
drwxr-x---  5 access access 4096 Jan 10  2012 lamposvn4.0/
drwxr-x---  3 access access 4096 Jan  4  2012 work/
drwxr-x---  7 access access 4096 Dec  9  2011 um_nesting/
-rw-r-x---  1 access access  644 Oct  7  2011 access.module*
-rw-r-x---  1 access access  644 Oct  5  2011 access.module_05102011*
drwxr-x---  4 access access 4096 Sep 26  2011 ancil.vn7.9/
drwxr-x---  3 access access 4096 Sep  8  2011 cap/
drwxr-x---  3 access access 4096 May  7  2010 src/
drwxr-x---  3 access access 4096 Apr 22  2010 lib/

It is proposed that each subdirectory should be owned by an

individual user rather than user "access".

A.Sulaiman propose creation of group "accessadm".

In general, each subdirectory can be made writeable by

group "accessadm" and readable by "access", but this is flexible.

Subdirectories may be made writeable only by a single user, or

a small set of individually selected user.

To further help in understanding contents, as much as possible

readme files describing directories and files should be liberally

added.

Quota issues resulting from the above proposal will be addressed.

⚠️ **GitHub.com Fallback** ⚠️