Swarthmore College Department of Computer Science

sharing files with ACLs

If you are working on a group project, and would like to share code easily, one option is to use ACLs (another is to use subversion). ACL stands for Access Control List. ACLs can be used to make the normal file permissions more specific. Like other linux commands, the best information about ACLs can be found in the man page (man setfacl).

setting up acls

To set up ACLs, try our easyfacl.py script. This script will prompt you for:

  1. A space separated list of user names (include your own username in this list!). Don't worry if you get one wrong, the program will cycle until you fix it.
  2. The directory whose permissions you would like to change. You can enter a full path or a path relative to your current location. Again, the program will cycle if the directory you enter does not exist.

The script will then show you the commands it will enter. You can confirm, or opt to enter these commands yourself. They should look something like this: 

setfacl -R -d -m user:uname1:rwx,user:uname2:rwx dir
setfacl -R -m user:uname1:rwx,user:uname2:rwx dir
  • You should be one of the users listed so that you can have acl privileges if one of the other users creates files and folders in the acl directory.
  • setfacl is the command used to change the acl information about a file or directory.
  • -R means make the command recursive, or, use this command to give all the existing files/directories in the directory the same acls.
  • -d means make these acls the default. All new files and directories created within this one will have the same acls.
  • -m means modify. This sets up the users (in our case, user1 and user2) with rwx permissions on the directory.

The setfacl man page explains all of these options, as well as others, should you desire to play around with setfacl.

After running easyfacl.py or setting acls manually with setfacl, use getfacl dirname to see the acls on a given file or directory.

Here's an example of the whole process, run as user jk: 

BASIL[jk]$ mkdir project
BASIL[jk]$ easyfacl.py 
Enter a space separated list of users: jk dhp mary
Enter a pathname (relative or full): project

These commands will be entered
setfacl -R -d -m user:jk:rwx,user:dhp:rwx,user:mary:rwx project
setfacl -R -m user:jk:rwx,user:dhp:rwx,user:mary:rwx project
Should I do this? (Y/n)y
acls are set up
press Return>
BASIL[jk]$ getfacl project/
# file: project
# owner: jk
# group: users
user::rwx
user:jk:rwx
user:mary:rwx
user:dhp:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:jk:rwx
default:user:mary:rwx
default:user:dhp:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

BASIL[jk]$

details/troubleshooting

ACLs are complicated, so here are a few things to keep in mind.

  1. copying vs. new files
    When you make a new file or directory, the default acl takes care of the acls for the new file or dir. If you're copying from some other directory, the default acls don't carry over. So you need: 
    setfacl -m user:u1:rwx,user:u2:rwx copied_file

    Where the users listed are the people in your default acl info for the rest of your directory.

  2. executable scripts
    I am planning to write a script. I make a new file in the acl directory, and begin writing, but then notice that I do not have execute permissions on the file, and thus cannot use my executable script. I need:
    • chmod +x scriptname
    The +x is important, because you want to add execute permissions. You don't want to say chmod 700 because that will change existing acls on the file.
  3. reaching the acldir
    So you set up the acls, and your partner tries to cd to the directory where you will be doing your project. But the two of you see something like cd: Permission denied. And you thought acls were supposed to fix all of that. Your partner needs to be able to cd to the acl directory. This means that every directory leading to the acl directory must have, as permissions, at least 711.
  4. removing acls
    Your work is done, but you have decided, during the course of your project, that you hate your partner and no longer want the acl permissions active. Thankfully, it is simple to remove them. cd to above the original directory where you set the acls, and:
    • setfacl -R -b acldir
    • -R you've seen before, it means recursive.
    • -b means delete all acls.
    Now your directory is safe from your evil partner (^_^). Even if you don't hate your partner, doing this when the two of you are done with your project might be a good idea.