Facilities > VLA > Documentation > Manuals > Computing Resources > Access Control Lists

Access Control Lists

by Gustaaf Van Moorsel last modified May 30, 2017 by K Scott Rowe

Access Control List overview

Access Control Lists (ACLs) can be used to grant access to files or directories for specific users or groups to enable small teams of observers to create ad hoc sharing rules without exposing their data to the public. ACLs behave much like standard Unix level read, write, and execute settings for owner, group and other but can be applied to any number of users or groups and can be flagged to apply to all new files or sub-directories within a directory.

When observer accounts are created, ACLs are added to the home directory for the observers-mgr group and the apache account to enable Data Analyst support access, Archive Access Tool direct write capability and https based data retreival back to a home institution.

Access Control List details

ACLs are set with the command setfacl and can be queried with the command getfacl.

Typical format for setfacl is:

setfacl -[R]{m|x} [default:]{u|g}:{<username>|<groupname>}:<mask> <path>

Where -R specifies recursive, -m or -x states to modify or remove, default defines whether to make the ACL the default for new files,  u or g defines what type of ACL to apply (users or group) to <username> or <groupname><mask> is standard r,w,x permissions and <path> is a file or directory.

To enable access to an existing directory typically one would run setfacl twice, once to set the ACL for all existing files and sub-directories and once to set the default for the existing directory and sub-directories to ensure new files properly inherit the ACL.  The first execution is needed because default mode only applies ACLs to directories, new files will inherit the ACL but existing files will not.

Note that it is possible to have multiple *default* ACLs on a directory.  All ACLs flagged as default on a directory will be applied to subsequently created sub-directories or files.  Directories must include the eXecute bit to enable traversal.

ACLs can only be set by system administrators as root or the owner of the file or directory similarly to chmod rules.

Once ACLs have been set on a file or directory, it is best to continue to use ACLs for permissions instead of using chmod, as chmod can sometimes have unintended effects on existing ACLs.  You can use ls -l to see if a file or directory has ACLs.  Look for the + sign at the end of the permissions section.  For example:

drwxrws---+ 2 nm-4386 nm-4386 4096 May 25 16:57 data/

Acess Control List Examples

Setting ACL with setfacl

To set an ACL to allow observer nm-4386 read/execute access to the home directory of observer nm-6889 do:

setfacl -m u:nm-4386:rx ~nm-6889

Note the above only applies to the directory, it will have no effect on existing or new files or sub-directories. The example for getfacl below shows this ACL

 

To set a default ACL to allow the observers-mgr group (ie data analysts) to the data subdirectory in the nm-6889 home directory do:

setfacl -m default:g:observers-mgr:rwx ~nm-6889/data

Note the above will not affect existing files or sub-directories but all new files and sub-directories will inherit the ACL.

To remove the above acl do:

setfacl -x default:g:observers-mgr ~nm-6889/data

 

To provide user nm-6889 read access to all existing files in the JVLA VLASS project opt_scripts directory do:

setfacl -m u:nm-6889:r /lustre/aoc/projects/vlass/opt_scripts/*

Note the above will only apply to existing files. 

 

The following default ACL would have to be set to the parent directory to enable access for subsequent files:

setfacl -m default:u:nm-6889:r /lustre/aoc/projects/vlass/opt_scripts

To remove the above acl do:

setfacl -x default:u:nm-6889 /lustre/aoc/projects/vlass/opt_scripts

 

Querying ACL with getfacl

To view the acls on user nm-6889 home directory do:

getfacl ~nm-6889

 

  

Below is the output of the above query with ACLs pointed out, all lines merely reflect standard Unix permissions applied to the directory:

>getfacl ~nm-6889 getfacl: 
Removing leading '/' from absolute path names 
# file: lustre/aoc/observers/nm-6889 
# owner: nm-6889 
# group: nm-6889 
# flags: -s- 
user::rwx   
user:nm-4386:r-x                   <------user level r-x ACL set for user nm-4386 
group::--- 
group:obs-apache:r-x               <----- group level r-x ACL set for group obs-apache 
group:observers-mgr:rwx            <----- group level rwx ACL set for group observers-mgr 
mask::rwx 
other::--- 
default:user::rwx 
default:group::--- 
default:group:obs-apache:r-x       <----- group level r-x default ACL set for group obs-apache 
default:group:observers-mgr:rwx    <----- group level rwx default ACL set for group observers-mgr 
default:mask::rwx 
default:other::---