Linux file ACLs

I am currently working on providing WebDAV access to the LCFG subversion repository. This is being done in a fairly generic way so that the LCFG configuration could be reused for other LCFG managed repositories. Currently it is only available via ssh and access is controlled by making the directory owned by root and accessible only by users in the lcfgsvn group. This is a problem for providing WebDAV access without breaking the previous access method as the apache user is not in that group and, in the case of Informatics, cannot be added to the group membership data, which is stored in LDAP. Simon suggested that as the filesystem is ext3 I should experiment with ACLs, this isn’t something I’ve used before but it was actually very easy to achieve what I needed. Here’s the basics:

$ mount / -o acl,remount
$ mkdir /var/svn/lcfg
$ chgrp lcfgsvn /var/svn/lcfg
$ chmod 0770 /var/svn/lcfg
$ setfacl -m g:apache:rwx /var/svn/lcfg
$ getfacl --access /var/svn/lcfg | setfacl -d -M- /var/svn/lcfg

Most of that is fairly self-explanatory. The first and most important step is to remount the root-partition to gain ACL support. Once the directory is created it has to be configured with the standard permissions. I then added a further group access ACL for apache. The final step is the more interesting and useful to remember bit, it takes the current ACLs and makes them the default for any content created within that directory. The default only applies to new content so if the directory had already existed it would have been necessary to do a recursive setfacl on the contents:

$ setfacl -R -m g:apache:rwx /var/svn/lcfg

Using ACLs has various implications, particularly with backups which might not preserve the ACLs. Tools such as tar (via --acls or --xattrs) and rsync (via --acls) do support storing the ACL information but you have to explicitly turn on the options.

I found a rather useful page that had some good examples.

What we really want now is support in the LCFG file component…

One Response to Linux file ACLs

  1. kenny says:

    I had a little look into using LCFG to set selinux contexts and discovered there’s no Perl interface to selinux, apart from calling the chcon command.

    There are other properties of files: extended attributes (useful for Samba shares, etc.) and the usual attributes, e.g. immutable.

    The file component schema could become quite large!