(Reproduced from The Furtive Penguin)
Access Controls With ACL and Eiciel
Traditionally Unix-based systems have dealt with the issue of sharing access to files and folders by tweaking group permissions. As the numbers of new Linux adopters grows in the wake of the Dell and Walmart initiatives perhaps it is time to publicize a more intuitive ( and GUI based ) option. Linux is designed from the ground up to be a multi-user system and family machines are likely to have more than one user account if only to keep the kids from 'accidentally' deleting important files. But what if you want to share certain resources amongst all users on a system? The easiest solution is to create a 'shared' folder in the /home directory and manage access using ACL's.
To do this you need to issue the following command as root:-
mkdir /home/shared
or sudo mkdir /home/shared ( if you are using Ubuntu )
If you are reasonably confident that no adverse security consequences will result you can make this folder world-writable thus:-
chmod 666 /home/shared
or sudo chmod 666 /home/shared ( Ubuntu )
If you want some other user ( besides root ) to own this folder, lets say 'userone', you would do the following:-
chown userone /home/shared
or sudo chown userone /home/shared ( Ubuntu )
Now in order to give you fine-grained control over the contents of this folder and generally make the whole thing work as intended we need to install two packages and tweak one configuration file. The packages in question are 'acl' and 'eiciel', On an Ubuntu system these can be installed with the following commands ( or via Synaptic if you prefer to use the GUI ):-
apt-get install acl
apt-get install eiciel
The 'acl' package gives you access to two commands, 'getfacl' and 'setfacl' which allow you to view and set access control lists at the command line. The 'eiciel' package adds a new tab to the 'properties' view in Nautilus which essentially does the same thing in the GUI. See screenshot below:-
Access Control List Tab in the Nautilus Properties Dailog Box
As you can see this panel allows me, the owner, ( userone ) to grant usertwo read, write or execute permissions on a per file basis. Consequently you can add files to your shared folder with confidence. Each file can have its own individualized user profile and no one need have more permissions than they need or can be trusted with. At the same time everything in the folder can be made readable by all users on the system.
In order to make this work there is one more essential step. You need to edit a system file called /etc/fstab.( BE CAREFUL! Back it up first in case of disaster. ) You will need to open an editor and insert 'acl' in the appropriate place. See 'before' and 'after' example below:-
BEFORE
/dev/hda1 /boot ext3 defaults 0 2 #size=100
/dev/hda2 none swap sw 0 0 #size=250
/dev/hda3 / ext3 defaults,errors=remount-ro 0 1 #size=remaining
/dev/fd0 /floppy auto defaults,user,noauto 0 0
/dev/cdrom /cdrom iso9660 defaults,ro,user,noauto 0 0
proc /proc proc defaults 0 0
AFTER
/dev/hda1 /boot ext3 defaults 0 2 #size=100
/dev/hda2 none swap sw 0 0 #size=250
/dev/hda3 / ext3 defaults,errors=remount-ro,acl 0 1 #size=remaining
/dev/fd0 /floppy auto defaults,user,noauto 0 0
/dev/cdrom cdrom iso9660 defaults,ro,user,noauto 0 0
proc /proc proc defaults 0 0
Insert 'acl' in the line that refers to the partition you want to use access control lists on and reboot. When your machine restarts you will be able to use eiciel in the GUI ( or 'getfacl' and 'setfacl' from the command line ) to set up acl's.
And thats all there is to it! I hope someone finds this helpful.
No comments:
Post a Comment