...
| Warning |
|---|
This article is generally good, but a better model has come out of I need to pull and merge from what was learned in the WordPress instructions currently being finalized. Once this is done, will extract the ACLs from there and merge here for a final article.. Basically I have given up on ACLs as they do not behave the way I would like and the creators think that is ok. Instead, I am looking at application level virtualization to define control. |
What are ACLs?
Advanced permissions beyond the traditional Unix permissions. It has powerful features such as being able to give permissions to more than one user and more than one group.
...
ACLs though powerful add additional complexity to the system and do have some limitations discussed further below. You will notice throughout the Bonsai Framework we use ACLs only when absolutely necessary.that I tried and then pretty much gave up on using ACLs. Instead, I am looking at application based virtualization solutions to segregate control.
Limitations
umask - ACLs are only applied generally only during create. More specifically, create(), mkdir(), mknod(), mkfifo(), or open(). Other operations will be limited by what the umask of the user performing the operation such as copy or move. (I need to go into more detail here but this is very very limiting and intuitively not the behaviour most people expect). In other words, you apply an ACL to a directory and subdirectory expecting files copied in would inherit those ACLs, well they don't because of the default umask.
Copying Files - This is no-longer an issue with modern (2012 is when I checked) versions of Ubuntu and I would guess other *nix systems. If you want to preserve specific ACL permissions and not inherit, use -p. With an older system, check that when setting default ACLs on a directory, the following commands will inherit permissions properly: local copy, sftp remote create and sftp remote copy.
...
The scenario is we want to provide website hosting for two different clients, The Daily Planet and LexCorp. Employees from the respective companies will kept in the system under the following groups, wgdailyplanet and wglexcorp. The web server process also plays a factor and uses the group www-data.
| User Name | Assigned User | Group | Web Root Directory | File Access | Directory Access |
|---|---|---|---|---|---|
| dailyplanet01 | Clark Kent | wgdailyplanet | /opt/web/php/dailyplanet.com/ | Read, Write and Execute | Read, Write and Execute |
| lexcorp01 | Lex Luthor | wglexcorp | /opt/web/php/lexcorp.com/ | Read, Write and Execute | Read, Write and Execute |
| Apache Server | www-data | /opt/web/php/dailyplanet.com/ /opt/web/php/lexcorp.com/ | Read | Read and Execute (required to transverse directories) | |
| Staff Users | staff | /opt/web/php/dailyplanet.com/ | Read | Read and Execute (required to transverse directories) | |
| Other | No Access | No Access |
We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server belonging to group www-data also needs access to all the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subsequent directories and files under the respective Web Root Directories to inherit the same permissions.
...
| Tip |
|---|
Notice the base Unix permissions are more open than ideal. This is due to how masking works with ACLs. |
| Directory | Unix Permissions for serveradmin:staff | ACL and ACL Default | Notes |
|---|---|---|---|
| ./web/ | rwXr-X--X | n/a | Don't need ACLs here. Use Unix permissions "drwxr-x--x 3 serveradmin staff". |
| ./web/php/ | rwXr-X--X | n/a | Don't need ACLs here. Use Unix permissions, "drwxr-x--x 4 serveradmin staff". |
| ./web/php/tmp/ | rwXr-X--- | www-data:rwX | In a shared environment lock down. Consider ACLs to make it easy for staff to review. |
| ,/web/php/logs/ | rwXr-X--- | www-data:rwX | In a shared environment lock down. Consider ACLs to make it easy for staff to review. |
| ,/web/php/dailyplanet.com/ | rwXrwX--- | www-data:rX wgdailyplanet:rwX | |
| ,/web/php/dailyplanet.com/www/ | rwXrwX--- | www-data:rX wgdailyplanet:rwX | |
| ,/web/dailyplanet.com/blog/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | |
| ,/web/dailyplanet.com/blog/wp-content/ | rwXr-X--- | www-data:rwX wgdailyplanet:rwX | In order to install plugins, www-data needs write access. |
| ./web/php/lexcorp.com/ | rwXr-X--- | www-data:rX wglexcorp:rwX | |
| ,/web/lexcorp.com/www/ | rwXr-X--- | www-data:rX wglexcorp:rwX | |
| ,/web/lexcorp.com/blog/ | rwXr-X--- | www-data:rX wglexcorp:rwX | |
| ,/web/lexcorp.com/blog/wp-content/ | rwXr-X--- | www-data:rwX wglexcorp:rwX |
All directories will be owned by serveradmin:staff
...