Supported by the National Science Foundation Collaborator: University of Michigan Collaborator: Michigan State University Collaborator: Wayne State University Collaborator: Indiana University

The OSiRIS filesystem manages file permissions using access control lists or ACL’s to further protect files and directories. Thus, standard UNIX file permissions might not be enough to manage file access for users/groups.

Why do we need FACL(s)?

Every file in a UNIX system has a owner/group and a set of permissions attached to it. ACLs are used in OSiRIS to provide access to files for multiple users who are from different groups. The file system access control lists(FACLs) are the list of additional users/groups and their respective permissions to the file.

Viewing FACL(s)

To display ACL details, filename, owner, group for each file we use the getfacl command. If a directory has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs. If getfacl is used on a file system that does not support ACLs, getfacl displays the access permissions defined by the traditional file mode permission bits.

getfacl /osiris/test

output:
#file : test
#owner: root
#group : CO_COU_NavalOceanics_members_active
user::rw-
user:abc:r--
user:xyz:rwx
group::r--
group:CO_COU_Test_members_active:r-x
mask::r--
other::---

Notice 3 different user lines in the output above. Thefirst line lists the standard file permissions of the owner of the file. The two other user permissions are the individual permissions for the users abc and xyz. The mask field defines the maximum effective file permissions for other groups and users. The default group permissions are read only as seen above. Group CO_COU_Test_members_active has been granted read(r) and execute(x) [r-x] permissions exclusively . Other users/groups do not have any permissions.

Creating and Managing FACL(s)

The setfacl command is used to set ACL for a given file. Even if a group is provided write permissions using standard unix chmod command, the members of the group would not be able to write to the /osris/test/ directory because the mask has been set to r– as seen in the section above.

To override the mask the best way is to give exclusive permissions to that particular user/group to the file/directory. In our case we will provide exclusive read write[rw] access for CO_COU_NavalOceanics_members_active group to the /osris/test directory by running the command below:

setfacl -m g:CO_COU_NavalOceanics_members_active:rw /osris/test

The -m option tells setfacl to modify ACLs on the file(s) mention in command line.

Masking

To access control list (ACL) mask defines the maximum effective permissions for any entry in the ACL. This mask is applied automatically everytime you execute the setfacl or chmod commands. You can prevent masking by using the –no-mask flag in your command as shown below:

setfacl --no-mask -m u:xyz:7 /osiris/test.txt

Backing up the FACL(s)

Many a times, the backup software may not copy the metadata related to the FACL on the files. In that case you may want to backup the FACL information on the files or directory. To copy the FACL on all the files in a directory , including all sub directories to a single file run :

cd /osiris
getfacl -R * > osiris_facl

The above commands will get the access control lists for all subdirectories and files under the osiris directory and write it to the osiris_facl file

Restoring the FACL(s)

When you restore the files in /osiris directory, you would have to restore the FACLs associated with the files in that directory. To do that use the FACL backup file osiris_facl along with the –restore option :

setfacl --restore=osiris_facl

To learn more about file system access control lists please refer to this website