sharing files with ACLs

If you are working on a group project, and would like to share code, one option is to use ACLs. ACL stands for Access Control List. ACLs can be used to make the normal file permissions more specific.

setting up acls

To set up ACLs, try our easyfacl.py script. This script will prompt you for:

  1. A space separated list of user names (include your own username in this list!).
  2. The directory whose permissions you would like to change. You can enter a full path or a path relative to your current location.

The script will then show you the commands it will enter. You can confirm, or opt to enter these commands yourself. They should look something like this:

setfacl -R -d -m user:uname1:rwx,user:uname2:rwx dir
setfacl -R -m user:uname1:rwx,user:uname2:rwx dir

After running easyfacl.py or setting ACLs manually with setfacl, use getfacl dirname to see the ACLs on a given file or directory.

Here's an example of the whole process, run as user jk:

BASIL[jk]$ mkdir project
BASIL[jk]$ easyfacl.py 
Enter a space separated list of users: jk dhp mary
Enter a pathname (relative or full): project

These commands will be entered
setfacl -R -d -m user:jk:rwx,user:dhp:rwx,user:mary:rwx project
setfacl -R -m user:jk:rwx,user:dhp:rwx,user:mary:rwx project
Should I do this? (Y/n)y
acls are set up
press Return>
BASIL[jk]$ getfacl project/
# file: project
# owner: jk
# group: users
user::rwx
user:jk:rwx
user:mary:rwx
user:dhp:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:jk:rwx
default:user:mary:rwx
default:user:dhp:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

BASIL[jk]$

details/troubleshooting

ACLs are complicated, so here are a few things to keep in mind.

  1. copying vs. new files: When you make a new file or directory, the default ACL takes care of the ACLs for the new file or dir. If you're copying from some other directory, the default ACLs don't carry over. So you need:

    setfacl -m user:u1:rwx,user:u2:rwx copied_file

Where the users listed are the people in your default ACL info for the rest of your directory.

  1. executable scripts: I am planning to write a script. I make a new file in the ACL directory, and begin writing, but then notice that I do not have execute permissions on the file, and thus cannot use my executable script. I need:

    chmod +x scriptname

The +x is important, because you want to add execute permissions. You don't want to say chmod 700 because that will change existing ACLs on the file.

  1. reaching the ACLdir: So you set up the ACLs, and your partner tries to cd to the directory where you will be doing your project. But the two of you see something like cd: Permission denied. And you thought ACLs were supposed to fix all of that! Your partner needs to be able to cd to the ACL directory. This means that every directory leading to the ACL directory must have, as permissions, at least 711 (or 755).

  2. removing ACLs: Your work is done, but you have decided, during the course of your project, that you hate your partner and no longer want the ACL permissions active. Thankfully, it is simple to remove them. cd to above the original directory where you set the ACLs, and:

    setfacl -R -b acldir

The -R means recursive, the -b means delete all acls.


Back to SwatCS Help Docs