Posix ACL’s


I manage to get a used HP DL380 and a bunch of big drives (did I write about this already?) And my first instinct was to immediately put Linux on it, then figure out what to do with it later. After a moment I realized that most of the servers were filling up their drives and a file server would be an excellent addition. Then I also realized that most of the servers were Windows-based and everyone authenticated against Active Directory. Hmm, I had never set Samba up to authenticate against AD before, this sounded like a sweet challenge.

I am writing up a tutorial on what I did to get everything working, everything was fairly straight forward until I started to tack down the access lists. At first I thought I would limit directory access through the Samba ‘valid users’ option, but that was too limited, since I would need nested permissions, and I wasn’t about to create shares for EVERY nested directory that needed special permissions. What I did end up doing was allow everyone to see all the shares, except some super secret ones where the management keeps the cheat codes to their video games. But rather than control access through samba I would do it all through ACL’s on the file system.

If you haven’t used ACL’s on a Linux system, don’t worry I am guessing many haven’t. Rather than the vanilla UGO perms of the standard Linux file system, you can get much more granular in who can see and do what. Its still RWX based but you can specify multiple users and groups and their specifics perms per directory and file. Everything is controlled through the commands ‘getfacl’ and ‘setfacl’. I am writing some wrappers around these to simplify their usage, since I am going to have to teach a couple people at work how manipulate permissions. I will post it when I have something more. Might get a tutorial in with it too. 🙂

Comments are closed.