CS4173 > Materials > sysdocs > ACLs

J. Blustein

Web-centric Computing

[Course | Announcements | Materials | Resources]

System Documentation

Access Control Lists (ACLs)

Contents

  1. About ACLs
    1. Example of What ACLs Can Do
    2. The ACL User Interface
  2. For More Information
  3. Warnings
  4. To Set The Correct ACLs
    1. To Set ACLs on your cgi-bin Directory
    2. To Set ACLs on Files
  5. About this document

If you just want to set the permissions on your cgi-bin directory and CGI files then jump to the step-by-step instructions below.

About ACLs

Access Control Lists (ACLs) are a form of extended file permissions.

The basic access permission for files in Unix are mode permissions. Each file or directory has mode permissions for (1) the file's owner, (2) the group that the file owner is in, and (3) for everyone else. These are the so-called user-group-other permissions. The basic permissions are read (r), write (w), and execute (x). For more information about them, see the chmod (1) manpage.

ACLs extend mode permissions by allowing a file's owner to specify exactly which users will be allowed to have what type of access to their files. If ls -ld filename shows a + at the end of the filename mode permissions then ACLs are being used with that file.

Example of What ACLs Can Do

For instance, you could set up an ACL for your cgi-bin directory that would allow you full access (read, write, and execute) for that directory and allow the web server (user http) to read that directory, but not allow anyone else any type of access to it. You could also set up similar permissions for all the .cgi files within that directory.

The ACL User Interface

getfacl (1) shows the ACLs associated with a file. Within the output of getfacl the # marks a comment, just like in a shell script. The mask is the maximum permissions that anyone (except the owner) can have to the file. Permissions for all users (except the owner) are ANDed with the mask to determine the effective permissions. So if a user is listed as having write permission for a file (w) but mask does not include w then the user does not have write permission to the file.

The permissions listed in the getfacl output are in two forms. Here's are examples of each form:

  1. Named users and groups
  2. Unnamed parts

The first three examples all have two colons (:) and the last example has only one colon. In the first group of examples, the colons separate the names of specific users or groups from the permission those users and groups have. The empty name (::) is the owner, so user:: refers to the owner of the file and group:: refers to the group that owns the file. (You can see the name of the group using
% ls -ldg filename) The permissions that are listed with only one colon can't be specified in more detail.

For more information about ACLs

See

Warnings

There are two features of the way ACLs work on Solaris that might cause you problems. Be on the look out for these:

  1. The setfacl program does not always warn you when you have used the wrong syntax. So always use getfacl after setfacl and check that your files have the correct permissions.
  2. Using chmod to change file permissions can change your ACLs and vice versa. Always use ls -ld to check that your files have the correct permissions after using chmod or setfacl.

To Set The Correct ACLs

Below are step-by-step instructions for setting ACLs for your cgi-bin directory and CGI files.

To Set ACLs on your cgi-bin Directory

Execute these instructions from the Unix prompt:

  1. Change the mode permissions on the directory to a known state
  2. Set the ACL permissions on the directory using setfacl
  3. Check that the permissions were set correctly
    1. % /bin/ls -ld ~/public_html/cgi-bin
    2. Check that the mode permissions at the beginning of the directory look like drwx------+
      • The + indicates that ACLs will modify mode permissions
    3. % /usr/bin/getfacl ~/public_html/cgi-bin
      • You should see three lines of comments (each line will begin with #)
      • The next lines should look like this
          user::rwx
          user:http:r-x           #effective:r-x
          group::---              #effective:---
          mask:r-x
          other:---
      • Note that the effective permissions show that
        • you (user::) have full permissions, and that
        • the server (user:http:) has read and execute permissions for the directory
        • no one else has any permission to access the directory
    4. % /bin/ls -ld ~/public_html/cgi-bin
      • Check that the mode permissions look like drwx------+

To Set ACLs on Files

Follow these steps to set the correct ACLs for all your CGI files. Execute these instructions from the Unix prompt:

  1. Change the mode permissions on the files to a known state
    1. % cd ~/public_html/cgi-bin
    2. % /usr/bin/chmod 700 *.cgi
  2. Set the ACL permissions on the files using setfacl
    1. % /usr/bin/setfacl -f ~jamie/public_html/course/CS/4173/Materials/Docs/ACL/cgi.ACL *.cgi
  3. Check that the permissions were set correctly
    1. % /bin/ls -l *.cgi
    2. Check that the mode permissions at the beginning of the files look like -rwx------+
    3. % /usr/bin/getfacl *.cgi | /opt/bin/less
      • You should see three lines of comments per file (each line will begin with #)
      • The next lines should look like this
          user::rwx
          user:http:r--           #effective:r--
          group::---              #effective:---
          mask:r--
          other:---
      • Note that the effective permissions show that
        • you (user::) have full permissions, and that
        • the server (user:http:) can only read the files
        • no one else has any permission to access the files
    4. % /bin/ls -l ~/public_html/cgi-bin/*.cgi
      • Check that the mode permissions look like -rwx------+

Because of the way that the servers are set-up at Dal FCS, CGI files don't need to be executable by the HTTP server to be run. Our servers are configured with suexec option which means that our CGI programs are run as the user who owns the file. (The example program about.pl demonstrates this.) But the server still needs to have read access to the files so that it can determine who owns the file.

More information about ACLs is above.


http://www.cs.dal.ca/~jamie/course/CS/4173/Materials/Docs/ACL/ACL.html

This file is located on borg at /users/faculty/jamie/public_html/course/CS/4173/Materials/Docs/ACL/ACL.html.

Version:
27 June 2001
CS 4173 Prof:
J. Blustein <jamie@cs.dal.ca>
Thanks to:
Jason Rouse and Jasper van Beusekom

Valid XHTML 1.0!
Creative Commons License