Here is a rundown of the basic commands we're using:
$ getfacl /var/www
- Get current ACL's for the given directory or file
$ setfacl -R -m u:johndoe:rwx /var/www
setfacl- Set ACL-R- Recursive down into files and directories-m- Modifying ACL's (vs removing them)u:johndoe:rwx- The user johndoe will get rwx permissions/var/www- Give these permissions to the /var/www directory (and sub files/dirs, since this is a recursive operation via the-Rflag)
$ setfacl -R -m g:www-data:rwx /var/www
The same as above, except:
g:www-data:rwx- Allow the groupwww-datato rwx the/var/wwwdirectory
$ setfacl -x g:www-data /var/www
-x- Remove ACL's defined forg:www-dataat location/var/www
Here are the commands used in the video:
Create the users we'll use:
# Create user jane
root@server $ adduser jane
# Give jane the ability to use "sudo"
root@server $ usermod -a -G sudo jane
# Create user bob
root@server $ adduser bob
# Bob, a user who can deploy web sites,
# is part of group www-data, the same group as
# our website files
root@server $ usermod -a -G www-data bobWe'll ensure files in our web root are of group "www-data". This is not necessary for ACL permissions, but we so do to keep things consistent.
# Ensure the site files have user/group "www-data"
# This is not necessary for ACL's
root@server $ chown -R www-data:www-data /var/wwwStart using some ACL basics. Here we give a user permissiont to read/write/execute files and directories using ACLs instead of the classic Linux permissions.
# Check out the ACL's set by default
# These are separate from the usual user/group permissions
root@server $ getfacl /var/www
# Give use jane the ability to rwx web files at
# directory /var/www
# Technically she wouldn't *need* this,
# since she could use her sudo abilities
root@server $ setfacl -R -m u:jane:rwx /var/www
# Above we set ACL for existing files/dirs
# Here we will recursively (-R) set the
# defaults (-d flag) for future files/dirs
root@server $ setfacl -Rd -m u:jane:rwx /var/www
# Check new permissions added
# (current dir/files and defaults)
root@server $ getfacl /var/wwwNext we give group-based permissions via ACL's to the web files. This is (arguably) more useful, a we can then give any user a secondary group (www-data in this case) to allow them to edit the web files, despite what the owner or group of those files are.
# Add group-based permissions, instead of user-specific
# This allows anyone in group "www-data" (like bob) to
# rwx files in /var/www
# We're setting the defaults here
root@server $ setfacl -R -m g:www-data:rwx /var/www
# Recursively (-R) set the defaults (-d)
for future files/dirs as well
root@server $ setfacl -Rd -m g:www-data:rwx /var/www
# View changes
root@server $ getfacl /var/wwwTo reiterate: These files/dirs don't need group "www-data" to be editable by bob. ANY USER part of group "www-data" can now edit files/dirs in directory /var/www!
Here are some things worth noting on using ACLs:
# Note to keep setfacl flags/options in two groups
# to avoid errors:
root@server $ setfacl
> Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...Now test our new settings to see how they behave:
# Some testing:
# Jane creates a dir
jane@server $ mkdir -p /var/www/site/styles
# Ensure bob can write to that location:
bob@server $ touch /var/www/site/styles/styles.css
# See the ACL's on new dir - they are inherited from parent dir
# Thanks to ACL defaults set
root@server $ getfacl /var/www/site/styles
# Just to be "clean", make site files all
# part of group www-data. Again, this is
# unnecessary for ACL permissions
root@server $ chgrp -R www-data /var/www
# Set the gid (group id) used for new dirs/files
# in the /var/www directory - new ones will have
# group "www-data" just like their parent directory
#
# This technically isn't necessary, as ACL gorup permissions
# for group "www-data" will function based on the user's assigned
# group rather than the group that is asssigned to the site files
# ...But this is handy to know still
root@server $ chmod -R g+s /var/www
# Laslty, check set permissions
# Note the "s" where you usually see "x"
# in the group permissions
bob@server $ ls -lah /var/www
> drwxrwsr-x 3 www-data www-data 4096 Jan 12 20:34 Site