- Linux Training
- Desktop Tutorials
- Server Tutorials
|Access Control Lists with Ubuntu Desktop|
|Desktop Training - Ubuntu 8.04|
Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. One of the dangers that acls attempt to avoid is allowing users to create files with 777 permissions, which become system wide security issues. Ubuntu does not install acls by default, you must install them and configure the file system so that acls are active. ACLs are an important tool that administrators must understand as well as educate users how to employ them properly.
Install acls on Ubuntu 8.04
acls on New Partitions
Since acls are not installed on any partitions the administrator must activate acls.. In the example, it shows how to manually install the acl on the /home directory. In this illustration the administrator has added the acl option to the /home directory in the /etc/fstab file. As you can see the word "acl" follows a comma after ext3 and then the file was saved. CAUTION: make a backup of your /etc/frstab before you modify it so you can recover if you make a mistake.
UUID=27515417-03d4-4175-bcf3-e655a19a6cb2 /home ext3,acl relatime 0 2
Once the file is saved remount the directory with the acl.
mount -o remount,acl /home
The process of changing acls is fairly simple but sometimes understanding the implications are much more complex. There are a few commands that will help you make the changes for acls on individual files and directories.
Eiciel is a graphical tool used to modify acls on a Desktop system. This is a great way to manage multiple users on a system that all need different access to files and folders.
The website provides a download for the application and some documentation:
Create a Directory to Share User Information
sudo mkdir /home/accounting
sudo chown -R mike /home/accounting
Note that the group rights still are maintained by the root user.
Now install eiciel.
sudo apt-get install eiciel
Here is a view of the /home/accounting directory with eiciel. The upper sections shows you that mike is the user who has read/write/execute rights to the directory. The root group has the read/execute rights and others have read and execute rights.
You can modify the rights by checking and unchecking the rights boxes.
The Participants List shows a list of other users on the system that you can allow access to the files in the directory. Add a user or group and then modify the rights of that user. By default it will list system users as well. It would be a dangerous thing to start adding system users to permissions on the system. You are best served leaving the system users alone when you start setting up acls.
When you create files in this directory you will have additional options that you did not have previously. You can provide one user with read only rights, provide a second user with read/write rights, the third user read/write/execute rights and the fourth user no rights at all on one file. You can do the same thing with multiple groups.
In the example. A file has been created called accounts_outstanding. Users have been added from the Participant List below and each has been given different rights to the same file. Diane and Mike can both read and write to the file, while tom can only read the file. Eiciel provides a clear way to view the permissions without having to go to the command line.
The mask determines possible permissions. By unchecking a box it will mean that those permissions are not available for either read,write or execute. For example is you uncheck execute, no one will have execute rights, if uncheck write, then no one will be able to right to the file.