<< 2011-2 >>
Department of
Computer Science
 

Controlling access to files

The version of Unix/Solaris that we run in the department allows you to give named people access to files, as well as just the group you belong to. See the manual entries for the setfacl and getfacl commands.

Creating A Shared Directory

To illustrate, here's how you can create a directory which two people can share write access to. Suppose the usernames involved are: 
myself
friend

The first step is to create the shared directory. Note that only the owner of a file or directory can change its permissions. Then make sure your umask is unset, so that it doesn't interfere with creating the permissions. Then add a mask and read/write/execute permissions for yourself and your friend. 

mkdir dir
umask 000
setfacl -m mask:rwx dir
setfacl -m user:myself:rwx dir
setfacl -m user:friend:rwx dir

Next, change the default permissions for creation of files within the directory. 

setfacl -m default:mask:rw- dir
setfacl -m default:user:myself:rw- dir
setfacl -m default:user:friend:rw- dir

Check the permissions you have set. In particular, check that the effective permissions are what you expect (if not, check the mask entry): 

getfacl dir

You should always add yourself with extra explicit permissions, even though you own the directory. This is so that when your friend creates a file in the shared directory, you will have access to it despite not being the owner.

If your friend creates a file, and you want to change its permissions, you can't because you don't own it. However, by copying it and moving it back, you can become the owner, and then change the permissions.

Tricks and Comments

There are a lot of things that can and do go wrong. Always check the permissions carefully, including the effective permissions, with getfacl after changing them.

When something goes wrong, the error messages are useless.

You can check whether there are any extra permissions on a file or directory using ls -l or ls -ld because if there are, a + sign appears at the end of the normal permissions.

The list of permissions (access control list, or acl list) sometimes gets corrupted, and there is nothing you can do about it except start again (copy files/directories somewhere else where they have no extra permissions, move them back again, add permissions).

The setfacl command doesn't work on "loop back automounted" file systems. In practice, this means you can't always create shared files/directories in your own home directory without first using rlogin to log on to some other machine.

Contact Us  |  News 25th Anniversary
© 1995-2012 University of Bristol  |  Terms and Conditions  |  Use of Cookies
About this Page