HOWTO Use filesystem ACLs

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

[edit] Introduction

There are a lot of occasions where common access scheme with owner/group/others is not powerful enough to satisfy the users' needs. The most simple (but descriptive ;)) is the following scenario: We have file owned by user joe (can read and write), and the whole group average must have read access to it, and nobody else!! But what happens if we have to add a new user, tom, who must have read access but we can't put him in average (or he will get something he does not deserve)? This is where ACL-s (Access Control Lists) jump in to save us ;)

Note: As this is not some ACL concept document but a HOWTO, I will not spend yours, and my time with more examples or theory. for more info try searching with google or read a great text by Andreas Grünbacher from SuSE about POSIX ACLs.

[edit] Get the tools

Tools we need for work with ACLs are in package "acl", so you have to: 

#emerge -v acl

and you'll have installed tools, header files and documentation.

[edit] System setup

Now you have to make your filesystem able to work with ACLs.

  • Bad news, you have to recompile your kernel.
  • Good news, it's really simple.

First get the newest kernel sources. To use gentoo-sources, do: 

# emerge gentoo-sources

and check where your /usr/src/linux link points at, it should be linked to the sources you've just emerged!

[edit] Setting up a new kernel

[edit] Path to kernel setup menu

We have to split here, users who don't use genkernel should go to manual recompile part, genkernel users go to genkernel part

[edit] path number one (manual recompile) 

# cd /usr/src/linux
# make menuconfig

set everything as you need/like

[edit] genkernel path

First get new genkernel 

# emerge genkernel

then start genkernel with switch --menuconfig and you'll be able do make modifications to kernel config as in manual way (man genkernel for more info) 

# genkernel --menuconfig

[edit] kernel options

now we meet again ;) go to: 

File Systems

section in kernel options menu and add support for POSIX Access Control Lists for every filesystem you want to use with this feature

for Ext3, XFS and JFS it's obvious what to select, for Ext2 and ReiserFS first enable "extended attributes" and then you'll get menu for POSIX ACLs

Linux Kernel Configuration: File Systems 
<*> Second extended fs support
[*]   Ext2 extended attributes
[*]     Ext2 POSIX Access Control Lists
[ ]   Ext2 execute in place support
<*> Reiserfs support
[ ]   Enable reiserfs debug mode
[ ]   Stats in /proc/fs/reiserfs
[*]   ReiserFS extended attributes
[*]     ReiserFS POSIX Access Control Lists
[ ]     ReiserFS Security Labels

genkernel users should just exit menu (and save changes), others should continue as with every other kernel compiling, moving kernel to /boot, etc,etc...

[edit] Bootloader configuration

If everything was fine, you have a new kernel with support for ACL-s in your /boot and you have to make it available in your lilo.conf (LILO users) or menu.list (GRUB users), and then reboot.

[edit] Remounting partition with ACL support

Everything ok? You are using the new kernel?

Let's check what you have done. To make use of ACLs, the partition that should use them has to be mounted with the acl option. You can remount some partition with the new feature 

# mount /data -o remount,acl

This of course remounts /data partition with acl option appended to list of options used when it was first mounted
Check it! 

# mount

One particular line should read something like: 

/dev/hda10 on /data type reiserfs (rw,acl)
Note: Do not add acl mount option for xfs or jfs (and reiser4?) filesystems or the remount will fail. Kernel support is enough for these.

Go to ACL powered partiton and play with tools like getfacl, setfacl, read their man pages and be sure that everything works fine.

You can find text I mentioned before useful here.

[edit] fstab configuration

Fire up your favourite text editor to /etc/fstab. Find the line for the file system you want to change, mine looks like this: 

/dev/hda1               /               reiserfs        noatime,user_xattr      0 1

Then simply add ",acl" to that file systems opts. Like so: 

/dev/hda1               /               reiserfs        noatime,user_xattr,acl      0 1

Now everytime you reboot you will have acl.

[edit] Final touch

To use everything from this feature you have to recompile programs that know how to use ACLs or work with them, let's name a few: coreutils, samba, vim...

Finaly when you are sure you did it right, add acl to your USE flag in make.conf ;-)

You may use a command like emerge --verbose --ask --newuse world to remerge all packets with the new useflag.

[edit] Links

Easy Detailed howto on acl

Retrieved from "http://gentoo-wiki.com/HOWTO_Use_filesystem_ACLs"