CS4173 > Materials > sysdocs > ACLs
If you just want to set the permissions on your cgi-bin directory and CGI files then jump to the step-by-step instructions below.
Access Control Lists (ACLs) are a form of extended file permissions.
The basic access permission for files in Unix are mode permissions. Each file or directory has mode permissions for (1) the file's owner, (2) the group that the file owner is in, and (3) for everyone else. These are the so-called user-group-other permissions. The basic permissions are read (r), write (w), and execute (x). For more information about them, see the chmod (1) manpage.
ACLs extend mode permissions by allowing a file's owner to specify exactly which users will be allowed to have what type of access to their files. If ls -ld filename shows a + at the end of the filename mode permissions then ACLs are being used with that file.
For instance, you could set up an ACL for your cgi-bin directory that would allow you full access (read, write, and execute) for that directory and allow the web server (user http) to read that directory, but not allow anyone else any type of access to it. You could also set up similar permissions for all the .cgi files within that directory.
getfacl (1) shows the ACLs associated
with a file.
Within the output of getfacl the # marks a
comment, just like in a shell script.
The mask is the maximum permissions that
anyone (except the owner) can have to the file.
Permissions for all users (except the owner) are AND
ed
with the mask to determine the effective permissions.
So if a user is listed as having write permission for a file
(w) but mask does not include w then
the user does not have write permission to the file.
The permissions listed in the getfacl output are in two forms. Here's are examples of each form:
The first three examples all have two colons (:) and the last
example has only one colon.
In the first group of examples, the colons separate the names of
specific users or groups from the permission those users and groups
have.
The empty name (::) is the owner, so user::
refers to the owner of the file and group:: refers to the
group that owns the file.
(You can see the name of the group using
%
ls -ldg filename)
The permissions that are listed with only one colon can't be specified
in more detail.
See
There are two features of the way ACLs work on Solaris that might cause you problems. Be on the look out for these:
Below are step-by-step instructions for setting ACLs for your cgi-bin directory and CGI files.
Execute these instructions from the Unix prompt:
user::rwx user:http:r-x #effective:r-x group::--- #effective:--- mask:r-x other:---
Follow these steps to set the correct ACLs for all your CGI files. Execute these instructions from the Unix prompt:
user::rwx user:http:r-- #effective:r-- group::--- #effective:--- mask:r-- other:---
Because of the way that the servers are set-up at Dal FCS,
CGI files don't need to be executable by the
HTTP server to
be run.
Our servers are configured with suexec
option which
means that our CGI programs are run as the user
who owns the file. (The example program about.pl demonstrates this.)
But the server still needs to have read access to the files so that
it can determine who owns the file.
More information about ACLs is above.
This file is located on borg at
/users/faculty/jamie/public_html/course/CS/4173/Materials/Docs/ACL/ACL.html
.