This started out with having installed several programs within a LXC container, all running under separate user accounts that need to access a shared data pool. Growing tired of manually flipping permission bit so that the programs could all work together, I wanted a way to ensure that files created by one program could both be renamed and moved by another program (running as a different user).
Turns out that POSIX ACLs provided what I needed: going beyond the standard user/group/other UNIX permission model, POSIX ACLs allow you to define additional user or group permissions. For example, instead of giving an entire group read/write permission over a file, ACLs allow you to specify a particular user that has read/write permissions (in addition to the file owner).
In my case, I wanted all files written to a particular directory to automatically become modifiable by all users in a specific group. POSIX ACLs allow for the specification of a default directory ACL. This is different from the traditional UNIX directory sticky bit (which allows all users to create directory entries) in that you can effectively extend read/write permissions to additional users as if they were the owner.
ZFS detour
The directory where I’d like to have shared permissions is on ZFS. By default, Linux ZFS doesn’t have POSIX ACLs enabled. However, it quite easy and quick to enable.
ZFS defines ACLs on pools via the acltype
property. POSIX ACLs are enabled by setting acltype=posixacl
.
In reference to posixacl
, the Linux zfs
man page suggests:
To obtain the best performance when setting posixacl users are strongly encouraged to set the
xattr=sa
property.
When describing the xattr
property, ZFS man page states:
The key advantage of this type of xattr is improved performance. Storing xattrs as system attributes significantly decreases the amount of disk IO required. […] The use of system attribute based xattrs is strongly encouraged for users of SELinux or Posix ACLs. Both of these features heavily rely of xattrs and benefit significantly from the reduced xattr access time.
Improved performance? Sure, let’s sprinkle that all over the place…
Enable Posix ACLs with:
$ zfs set xattr=sa vpool/media
$ zfs set acltype=posixacl vpool/media
Well, that was easy.
Back to POSIX ACLs on Linux…
Make sure the acl
package is installed:
$ sudo apt-get install acl
The getfacl
program lists ACLs on a file or directory. For example, here
we list the permissions of the current directory using ls
and see the u=rwx,g=rx,o=rx
permission bits.
$ ls -ld .
drwxr-xr-x 64 jburke jburke 140 Feb 4 18:02 .
getfacl
gives more verbose output:
$ getfacl .
# file: .
# owner: jburke
# group: jburke
user::rwx
group::r-x
other::r-x
To enable the media
group to automatically have read, write, and execute permissions to new directory
entries, we use the setfacl
program:
$ setfacl -d -m g:media:rwx .
$ getfacl .
# file: .
# owner: jburke
# group: media
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:media:rwx
default:mask::rwx
default:other::r-x
Notice the default:group:media
line indicating that the media
group has rwx
permission by default.
For my immediate goals, this was mission accomplished: new files and directories created would automatically have read/write/execute permissions to all members of the media
group.
Once I was satisfied that ACLs were working as needed on my test directory, I used getfacl
and setfacl
to transfer the setings to another directory. One feature of setfacl
is reading ACLs from stdin:
$ getfacl srcdir | setfacl -R --set-file=- dstdir
Defaults
Note that default ACLs applied to a directory do not affect the contents in the directory which already exists.