Access Control Lists with Ubuntu Desktop
Desktop Training - Ubuntu 8.04

  • Load Balancing With Apache

    Apache makes for a great load balancer, with the help of mod_proxy and mod_proxy_balancer. If you use Apache as the back end, this makes deploying new back ends very easy, as everything in the cluster will use the same software load out.

  • How To Migrate A LAMP Stack

    Sooner or later, your operations are going to need to scale out to bigger and better servers. You'll have to migrate your application to new hardware. Here's how to do it.

  • nginx Load Balancing

    nginx Load Balancingnginx is well known for being a front-end load balancer. It often sits between the client accessing the web site, and the PHP back ends that process your dynamic pages. While doing this, it will also perform admirably as a static content server. Here's how to get this going.

     

     

Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. One of the dangers that acls attempt to avoid is allowing users to create files with 777 permissions, which become system wide security issues. Ubuntu does not install acls by default, you must install them and configure the file system so that acls are active. ACLs are an important tool that administrators must understand as well as educate users how to employ them properly.

Install acls on Ubuntu 8.04
sudo apt-get install acl

acls on New Partitions

Since acls are not installed on any partitions the administrator must activate acls.. In the example, it shows how to manually install the acl on the /home directory. In this illustration the administrator has added the acl option to the /home directory in the /etc/fstab file. As you can see the word "acl" follows a comma after ext3 and then the file was saved. CAUTION: make a backup of your /etc/frstab before you modify it so you can recover if you make a mistake.

# /dev/sda4

UUID=27515417-03d4-4175-bcf3-e655a19a6cb2 /home ext3,acl relatime 0 2

Once the file is saved remount the directory with the acl.

mount -o remount,acl /home

acl Commands

The process of changing acls is fairly simple but sometimes understanding the implications are much more complex. There are a few commands that will help you make the changes for acls on individual files and directories.

 

Using Eiciel

Eiciel is a graphical tool used to modify acls on a Desktop system. This is a great way to manage multiple users on a system that all need different access to files and folders.

The website provides a download for the application and some documentation:

http://rofi.roger-ferrer.org/eiciel/

 

Create a Directory to Share User Information
This example shows a directory created that will be used to allow different users different rights to the same files. In the example, the administrator places a user in charge of the directory and that user then defines the rights of other users in that directory. Here the user mike is placed in charge of the /home/accounting directory.

sudo mkdir /home/accounting

sudo chown -R mike /home/accounting

Note that the group rights still are maintained by the root user.

Now install eiciel.

sudo apt-get install eiciel

 

Here is a view of the /home/accounting directory with eiciel. The upper sections shows you that mike is the user who has read/write/execute rights to the directory. The root group has the read/execute rights and others have read and execute rights.

eiciel

You can modify the rights by checking and unchecking the rights boxes.

The Participants List shows a list of other users on the system that you can allow access to the files in the directory. Add a user or group and then modify the rights of that user. By default it will list system users as well. It would be a dangerous thing to start adding system users to permissions on the system. You are best served leaving the system users alone when you start setting up acls.

When you create files in this directory you will have additional options that you did not have previously. You can provide one user with read only rights, provide a second user with read/write rights, the third user read/write/execute rights and the fourth user no rights at all on one file. You can do the same thing with multiple groups.

In the example. A file has been created called accounts_outstanding. Users have been added from the Participant List below and each has been given different rights to the same file. Diane and Mike can both read and write to the file, while tom can only read the file. Eiciel provides a clear way to view the permissions without having to go to the command line.

eiciel

 

The mask determines possible permissions. By unchecking a box it will mean that those permissions are not available for either read,write or execute. For example is you uncheck execute, no one will have execute rights, if uncheck write, then no one will be able to right to the file.

eiciel