Access Control Lists with Ubuntu Desktop
Desktop Training - Ubuntu

Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. One of the dangers that acls attempt to avoid is allowing users to create files with 777 permissions, which become system wide security issues. Ubuntu does not install acls by default, you must install them and configure the file system so that acls are active. ACLs are an important tool that administrators must understand as well as educate users how to employ them properly.

acl Commands

The process of changing acls is fairly simple but sometimes understanding the implications are much more complex. There are a few commands that will help you make the changes for acls on individual files and directories.

getfacl file or directory

This command will list all of the current acls on the file or directory. For example if a user (tom) creates a file and gives acl rights to another user this is what the output would look like.

 

getfacl myfile

# file: myfile

# owner: tom

# group: tom

user::rw-

user:sue:rwx

group::rw-

mask::rwx

other::r--

 

The getfacl shows typical ownership as well as additional users who have been added with acls like sue in the example. It also provides the rights for a user. In the example, sue has rwx to the file myfile.

The setfacl command is used to create or modify the acl rights. For example if you wanted to change the acl for mike on a file you would use this command:

 

setfacl -m u:mike:rwx file or directory

The -m is to modify the acl and the "u" is for the user which is specifically named, "mike", followed by the rights and the file or directory. Change the "u" to a "g" and you will be changing group acls.

setfacl -m g:sales:rw file or directory

If you want to configure a directory so that all files that are created will inherit the acls of the directory you would use the "d" option before the user or group.

setfacl -m d:u:mike:rw directory

To remove rights use the "x" option.

setfacl -x u:mike file or directory

 

 

acls on New Partitions

Since acls are not installed by default on any partitions the administrator creates after the initial install you  must activate acls.. In the example, it shows how to manually install the acl on the /music directory. In this illustration the administrator has added the acl option to the /music directory in the /etc/fstab file. As you can see the word "acl" follows a comma after ext3 and then the file was saved. CAUTION: make a backup of your /etc/frstab before you modify it so you can recover if you make a mistake.

# /dev/sda4

UUID=27515417-03d4-4175-bcf3-e655a19a6cb2 /home ext3,acl relatime 0 2

Once the file is saved remount the directory with the acl.

mount -o remount,acl /music

 

Using Eiciel

Eiciel is a graphical tool used to modify acls on a Desktop system. This is a great way to manage multiple users on a system that all need different access to files and folders.

The website provides a download for the application and some documentation:

http://rofi.roger-ferrer.org/eiciel/

 

Create a Directory to Share User Information
This example shows a directory created that will be used to allow different users different rights to the same files. In the example, the administrator places a user in charge of the directory and that user then defines the rights of other users in that directory. Here the user mike is placed in charge of the /home/accounting directory.

sudo mkdir /home/accounting

sudo chown -R mike /home/accounting

Note that the group rights still are maintained by the root user.

Now install eiciel.

sudo apt-get install eiciel

 

Here is a view of the /home/accounting directory with eiciel. The upper sections shows you that mike is the user who has read/write/execute rights to the directory. The root group has the read/execute rights and others have read and execute rights.

eiciel

You can modify the rights by checking and unchecking the rights boxes.

The Participants List shows a list of other users on the system that you can allow access to the files in the directory. Add a user or group and then modify the rights of that user. By default it will list system users as well. It would be a dangerous thing to start adding system users to permissions on the system. You are best served leaving the system users alone when you start setting up acls.

When you create files in this directory you will have additional options that you did not have previously. You can provide one user with read only rights, provide a second user with read/write rights, the third user read/write/execute rights and the fourth user no rights at all on one file. You can do the same thing with multiple groups.

In the example. A file has been created called accounts_outstanding. Users have been added from the Participant List below and each has been given different rights to the same file. Diane and Mike can both read and write to the file, while tom can only read the file. Eiciel provides a clear way to view the permissions without having to go to the command line.

eiciel

 

The mask determines possible permissions. By unchecking a box it will mean that those permissions are not available for either read,write or execute. For example is you uncheck execute, no one will have execute rights, if uncheck write, then no one will be able to right to the file.

eiciel