This started out with having installed several programs within a LXC container, all running under separate user accounts that need to access a shared data pool. Growing tired of manually flipping permission bit so that the programs could all work together, I wanted a way to ensure that files created by one program could both be renamed and moved by another program (running as a different user).
Turns out that POSIX ACLs provided what I needed: going beyond the standard user/group/other UNIX permission model, POSIX ACLs allow you to define additional user or group permissions. For example, instead of giving an entire group read/write permission over a file, ACLs allow you to specify a particular user that has read/write permissions (in addition to the file owner).
In my case, I wanted all files written to a particular directory to automatically become modifiable by all users in a specific group. POSIX ACLs allow for the specification of a default directory ACL. This is different from the traditional UNIX directory sticky bit (which allows all users to create directory entries) in that you can effectively extend read/write permissions to additional users as if they were the owner.
The directory where I’d like to have shared permissions is on ZFS. By default, Linux ZFS doesn’t have POSIX ACLs enabled. However, it quite easy and quick to enable.
ZFS defines ACLs on pools via the
acltype property. POSIX ACLs are enabled by setting
In reference to
posixacl, the Linux
zfs man page suggests:
To obtain the best performance when setting posixacl users are strongly encouraged to set the
When describing the
xattr property, ZFS man page states:
The key advantage of this type of xattr is improved performance. Storing xattrs as system attributes significantly decreases the amount of disk IO required. […] The use of system attribute based xattrs is strongly encouraged for users of SELinux or Posix ACLs. Both of these features heavily rely of xattrs and benefit significantly from the reduced xattr access time.
Improved performance? Sure, let’s sprinkle that all over the place…
Enable Posix ACLs with:
$ zfs set xattr=sa vpool/media $ zfs set acltype=posixacl vpool/media
Well, that was easy.
Back to POSIX ACLs on Linux…
Make sure the
acl package is installed:
$ sudo apt-get install acl
getfacl program lists ACLs on a file or directory. For example, here
we list the permissions of the current directory using
ls and see the
$ ls -ld . drwxr-xr-x 64 jburke jburke 140 Feb 4 18:02 .
getfacl gives more verbose output:
$ getfacl . # file: . # owner: jburke # group: jburke user::rwx group::r-x other::r-x
To enable the
media group to automatically have read, write, and execute permissions to new directory
entries, we use the
$ setfacl -d -m g:media:rwx . $ getfacl . # file: . # owner: jburke # group: media user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:media:rwx default:mask::rwx default:other::r-x
default:group:media line indicating that the
media group has
rwx permission by default.
For my immediate goals, this was mission accomplished: new files and directories created would automatically have read/write/execute permissions to all members of the
Once I was satisfied that ACLs were working as needed on my test directory, I used
setfacl to transfer the setings to another directory. One feature of
setfacl is reading ACLs from stdin:
$ getfacl srcdir | setfacl -R --set-file=- dstdir
Note that default ACLs applied to a directory do not affect the contents in the directory which already exists.