Posix ACL Example

I ran into a situation where I wanted to have one user account to have access to a number of other accounts.  The situation is for web hosting.  On the server I administer we have domain accounts and user accounts.  Every email account gets an actual account on the system.  This makes it easy to use tools like spamassassin and have per-user preferences.  The email accounts do not have shell access.  The domain accounts can be thought of as mini root accounts.  They should have access to all of the data for their account (obviously) as well as access to all of the data in the email user accounts.  This allows for a user to backup their domain.  On my system the email user account home directories are located inside the domain account home directory:

/home/therowes.net                 # therowes.net domain account home directory
/home/therowes.net/users/greg # greg's home directory
/home/therowes.net/users/joe   # joe's home directory

Posix ACLs, which as supported by most filesystems in Linux such as ext2, ext3, and XFS, allow such a setup. I will not go into massive amounts of detail about Posix ACLs because I don’t feel that I know enough to make an informed post. Instead I’ll show an example that makes the situation of having a master account have access to slave accounts.

If you already have the files in place you have two steps. If you are just starting out you have just one step.

Step 1 is to set the default ACLs. These ACLs are automatically applied when new files and directories are created.

# setfacl --recursive --default --modify user:MASTER_ACCOUNT_NAME:rwx TARGET_DIRECTORY

Step 2 is to set the ACLs for the existing files. This step is optional if you don’t have existing files. I feel like there’s a better way to deal with the execute bit on directories than the way I do it below. If you know of a more elegant way please post a comment.

# find TARGET_DIRECTORY -type f -exec setfacl  -m u:MASTER_ACCOUNT:rw {} ';'
# find TARGET_DIRECTORY -type d -exec setfacl  -m u:MASTER_ACCOUNT:rwx {} ';'
This entry was posted in Geek, Tips. Bookmark the permalink.

One Response to Posix ACL Example

  1. Allan says:

    > I feel like there’s a better way to deal with the execute bit on directories than the way I do it below.

    As for the chmod command, setfacl treats an uppercase X as execute flag for directories and that files that already have the execute flag set.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s