Set UID & Set GID
To get more granular with permissions, and to make our lives easier, you can use the set UID & set GID to ensure that any files / directories created within a certain directory maintain the ownership of that directory. This is accomplished with a simple chmod command.
lxp-webcvs:/ # chmod 2775 cvs
lxp-webcvs:/ # ls -al
drwxrwsr-x 19 cvs cvs 4096 2006-05-16 12:35 cvs
The extra bit at the beginning controls the SUID/SGID permissions bit. 4 = set uid, 2 = set gid, 1 = sticky bit (hardly ever used). In this case, I set the GID; so, the group ownership will "stick" to any file created in that directory.
lxp-webcvs:/cvs # touch yeti
lxp-webcvs:/cvs # ls -al
-rw-r--r-- 1 root cvs 0 May 17 08:23 yeti
Even though I am root, when I touched a file, it kept the cvs group ID.
This is pretty useful, but if used with ACLs, it becomes a giant alien force more powerful than anything you can imagine.
ACLs
Access Control Lists are just more specific forms of permission, similar to the ones in Windows, where you can grant specific access to certain users and groups, and make directories inherit permissions from the parent.
In order to implement ACLs, the acl option must be specified for the filesystem.
lxp-webcvs:/ # mount
/dev/mapper/VG01-LVcvs on /cvs type ext3 (rw,acl,user_xattr)
SLES9 automatically implements ACLs when you create a filesystem, you just have to unmount it and then mount it again for it to take affect. SLES8 will require you to unmount the filesystem, edit fstab manually, and then mount it up again.
lxp-webcvs:/etc # more fstab
/dev/VG01/LVcvs /cvs ext3 acl,user_xattr 1 2
The two basic commands for ACLs on Linux are getfacl and setfacl. If I getfacl on my cvs directory, I see:
lxp-webcvs:/ # getfacl cvs
# file: cvs
# owner: cvs
# group: cvs
user::rwx
group::rwx
other::r-x
This is what an ACL looks like if you haven't edited it at all. Since I set the GID to be cvs for anything in this directory, I will alter the group ACL on it so that the cvs group has write access to anything created within the directory.
lxp-webcvs:/ # setfacl -d -m group:cvs:rw- cvs
ACLs in linux have been defanged; you can't give execute permission. Even if you put rwx, it will place a little note in the acl object that it is effective rw-.
lxp-webcvs:/ # getfacl cvs
# file: cvs
# owner: cvs
# group: cvs
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:cvs:rw-
default:group::rwx
default:group:cvs:rw-
default:mask::rwx
default:other::r-x
Now if I touch a file in /cvs, it won't take my default umask, but the one I just specified in the ACL.
lxp-webcvs:/cvs # touch yeti
-rw-rw-r--+ 1 root cvs 0 May 17 08:23 yeti
The plus sign indicates that an ACL is in place. The setfacl command accepts a ton of flags, but the most useful ones are:
-d : apply changes to default ACL; always use this option
-m : modify ACL on the commandline; this is way easier than building an ACL in a file and then importing it
-b : remove extended ACLs; this is your friend if you screw up
-R : recursive; changes ACLs for all subdirectories... ACLs are inherited from the parent, but if you have some directories in there already that need to be changed as well, this is a nice option
