Example scenarios for permission and ACL combinations

[wwarriner]

What would you like to see added?

ACLs and Permissions can interact in non-intuitive ways.

ACLs can mostly be thought of as a much more fine-grained form of permissions. They can also be used to allow access to nested directories and files without granting access to the levels encountered along the way. Once someone reaches the bottom level allowed by ACLs, the o (other, final digit) part of the permissions takes over.

Example:

/data/project/lab/
|-- no-access/
|-- access/
    |-- data/
    |-- file.txt

Suppose you have an external collaborator named extern. You want to grant them read, write and execute access to the nested data/ directory but not any of the directories along the way. Then set the following permissions and ACLs.

• /data/project/lab/ has permissions rwxrws--- or 2770

  Allows members of your group full access to this directory (middle rws). Allows extern no access (last three dashes ---).

  Important! Do not set the final permission triplet (others) of your root project directory to anything other than --- (or 0). Doing so opens your project directory to everyone using Cheaha.

• /data/project/lab/ has ACL user:extern:--x

  Allows extern access to your project directory with only execute permissions. The only thing they can do with just this permission is traverse the directory. All they can do is use cd /data/project/lab/access/. They cannot use ls, find, nor cp on the contents of the directory due to not having read (r) permissions. They cannot add and delete any files or directories due to not having write (w) permissions.

• no-access/ has permissions rwxrws--- or 2770

  Allows members of your group full access to this directory (middle rws). Allows extern no access (last three dashes ---).

• access/ has permissions rwxrwS--- or 2770

  Allows members of your group full access to this directory (middle rws). Allows extern no access (last three dashes ---).

• access/ has ACL user:extern:--x

  Allows members of your group full access to this directory (middle rws). Allows extern access as described above for the project directory.

• data/ has permissions rwxrwsrwx or 2777

  Allows members of your group full access to this directory (middle rws). Allows non-group-members full access to this directory (last rwx), but only if they can reach it. Note to reach it they need execute (x) permissions or ACLs on its parent directories. This is why we have used ACLs, to allow extern to traverse the above directories to reach this one.

Repeating this process for multiple people with the same ACLs will allow multiple external collaborators to work together in the same directory. (Write about how the setgid bit plays a role, cross-link to programs that violate the usual permission creation assumptions such as cp -p and tar).