This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Feature: Tools & Utilities

Smart ACL management with Eiciel

By Shashank Sharma on June 18, 2008 (4:00:00 PM)

Share    Print    Comments   

The traditional file permission model, where read, write, and execute permissions are set on each file for the user, group, and others (UGO) has one drawback: It can't be used to define per-user or per-group permissions. For that, you need to employ access control lists (ACL). Eiciel is a graphical tool that integrates with the Nautilus file manager and allows for easy ACL management.

The UGO model lets you associate only one group with a file. If you try to define read permissions on a file for user Charlie and read and write permissions for user Alexia, and Charlie and Alexia belong to different groups, you'll see what I mean. With ACLs, you can specify elaborate permissions for multiple users and groups.

Although Eiciel is a GNOME tool, you can run it on KDE as well if you have the necessary GNOME libraries installed. ACL supports is natively available in the 2.6 kernel, and ext2, ext3, XFS, JFS, and ReiserFS filesystems are ACL-capable.

You can install Eiciel from official software repositories of your distribution using apt-get or yum. Once installed, Eiciel is available as a standalone application or as a Nautilus extension, but you'll have to restart Nautilus before you can take advantage of the extension. After restarting Nautilus with the killall nautilus command, to define ACL entries, right-click on a file and select Properties, then click the Access Control List tab.

ACLs too rely on the traditional read, write, and execute permissions defined for each user and group. To define ACLs for users and groups, add them to the access control list by selecting them from the bottom half of the window and clicking Add. You can then define permissions for each of the users or groups you just added. The user and groups are listed under Entry with three check-boxes corresponding to read, write, and execute. You can thus define any concoction of permissions for the users and groups of your choice.

On Fedora machines, you need to click the Also show system participants check-box to be able to view the various users and groups. This is because Fedora assigns user IDs starting with 500 and not 1000 like other distributions. Ususally, user IDs below 1000 are reserved for system accounts such as root, apache, and ftp.

The User radio button under System Participants is selected by default when you click the Access Control List tab in the Properties window. You can add groups to the ACL by clicking the Group radio button.

The Mask value defines the maximum permissions an ACL entry can have. If you set a permission for a user or group that is not allowed by Mask, Eiciel will put an exclamation mark next to the permission, which means the permission hasn't been set. So if the mask is set to allow read and write, you can't define read, write, and execute permissions for any user or group. Eiciel won't stop you from adding execute permission, but it will use the exclamation mark to show that execute permission has not been set.

Unfortunately, Eiciel doesn't yet support recursion, so if you have to set ACLs for multiple files or a directory, you'd have to do that individually for each file. The setfacl command, Eiciel's command-line counterpart, supports recursion, in addition to all the other features offered by Eiciel.

The command setfacl -m u:charlie:rw /home/linuxlala/quotes.txt sets read and write permission for user Charlie. You can also define permissions for more than one user and group at the same time, like so: setfacl -m u:alice:r,u:charlie:rw,g:linuxlala:r /home/linuxlala/quotes.txt. To see if the ACL has been defined properly, use the getfacl command:

getfacl /home/linuxlala/quotes.txt # file: quotes.txt # owner: linuxlala # group: linuxlala user::rwx user:alice:r-- user:charlie:rw- group:r-- group:linuxlala:r-- mask::rwx other::r-x

Despite its ease of use, Eiciel still has a long way to go before it can compete with the setfacl command, while setfacl lacks the charm of Eiciel.

Shashank Sharma specializes in writing about free and open source software for new users and moderates the forum boards. He is the coauthor of Beginning Fedora, published by Apress.

Share    Print    Comments   


on Smart ACL management with Eiciel

Note: Comments are owned by the poster. We are not responsible for their content.

Smart ACL management with Eiciel

Posted by: Anonymous [ip:] on June 19, 2008 10:56 AM
Besides being able to set permissions on sub directories one very big shortcomming of the acl implementation in linux is that you can not 'inherit' permissions from a parent.
You can set default rights, but these will only be enforced for newly created files.
What we run up against is that most people create documents in there private space (home, desktop, etc.) and once ready they want to copy it to a shared folder where team members can access it.
Unfortunately, even though default permissions are defined on the shared folder, we keep on having files with private permission on them.

I do understand that this can be seen as a security feature, but in practice it can be a real pain in the ....


Re: Smart ACL management with Eiciel

Posted by: Anonymous [ip:] on June 19, 2008 01:43 PM
This is not something linux specific. It does not work for copying since a copy command will implicitly end up doing a chmod() on the destination file to match the permissions of the source file. As per ACL spec this will cause recalculation of the ACL mask to read-only. It is not a security feature rather a result of mixing non-ACL files with ACL files and the default in copy is to try and match the permissions of the source.

If you want copying to work as desired, then I think the easiest would be to set the default ACL mask to rw on all the source directories from where copying can be done (e.g. home directory recursively and /tmp), and on existing files. Then creation of new files in those directories will set the ACL mask to rw and copy will not cause changing of the mask.


Smart ACL management with Eiciel

Posted by: Anonymous [ip:] on June 19, 2008 02:16 PM
I hate to say this but in Wi$(ows permissions can be set as inheritable and this makes it possible to copy files to other locations and the files receiving the proper permissions for that location.
So it is specific for linux, though I do understand that the linux ACL implementation is based on posix. But does this limit us from looking into options to make a system more usable?
I think inheritable permissions should be possible to facilitate file sharing for larger groups.


Re: Smart ACL management with Eiciel

Posted by: Anonymous [ip:] on June 19, 2008 02:40 PM
By "not specific to linux" I meant that this was behavior expected of any POSIX implementation. As mentioned above, the reason is that copying in linux will try to match the permissions (cp -a will try to match exactly) of the source by doing a chmod. Also as mentioned there is a solution for your requirement -- take it or leave it.

Of course, since we have the source it is always possible to patch <your favorite file manager> to reset ACL mask -- the patch should be simple enough.


Re(1): Smart ACL management with Eiciel

Posted by: Anonymous [ip:] on June 24, 2008 03:06 PM
First of all, I do not mean to offend anybody by continuing a discussion. I think comments like 'take it or leave it' have never helped innovation in any way. Also the comment 'you have the source...' is not a comment helping open source in any way. A user should also be able to participate in discussions to improve functionality.

The solution provided of changing the source directories permissions is not generic. It depends on a setup of the structure. But what happens if for example files from a USB stick, CD, a network drive are copied to an ACL enabled directory?

As mentioned, although posix does not support it, inheritance of permissions could be a very useful feature to implement.

Just my 0.02


Smart ACL management with Eiciel

Posted by: Ashok Koparday on June 20, 2008 02:33 PM
Hi Shashank,
This is not about Smart ACL, but about my desperation to get Ubuntu OS?
I am in Mumbai. Shipped versions of latest Ubuntu did not work.
I will appreciate some pointers so I can begin using Ubuntu?
Ashok Koparday


This story has been archived. Comments can no longer be posted.

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya