setfacl – Quit changing Linux permissions and allow access to more than just root!
As much as I love working inside of the vSphere client and focusing solely on VMware and virtualization I’m also tasked with a lot of web programming, database development and general server administration. I look after a few Debian servers which provide an external presence and the web developers working on them often require access to upload and change files and folders within the webroot. Now being security minded I don’t want to just hand out our root password all the time so having them connect as root is out of the question as it’s disabled.
Historically the process has involved changing the various folders owner to the webadmin account, thus allowing them to connect and do what they need to do as webadmin. This has always worked great but poses some challenges especially when using certain CMS applications such as WordPress and Joomla. When installing new plugins and modules these applications tend to create their new folder structures and set the owner to www-data – kind of a pain in the @$$ as now the webadmin account has just lost access to write to the directory. Again, this usually resulted in myself or someone being summoned upon to change the owner again! So the solution, a little bit of ACL awesomeness… getfacl and setfacl in a nutshell allow you to specify multiple types of access to more than just owner and group on Linux files and folders – perfect for my scenario as now I can leave root as the owner for security purposes, www-data as the group in order to actually let the internet display the sites, and add an acl to webadmin in order to allow them read/write access to do their job. Below is a pretty short example on how to get started.
First off you need to have support in your kernel, which honestly you probably do but incase you feel like checking just do the following on your boot config.
cat /boot/config-kernelversion | grep _ACL
This should generate something along the lines of a CONFIG_EXT3_FS_POSIX_ACL=y
As with any Debian package installation it’s pretty easy..
apt-get install acl
Almost there, we know have acl installed and know it’s supported, we just need to be sure we mount the file system in which we want to provide acl’s on is mounted with acl support. To do this you can simple add ‘,acl’ to your /etc/fstab file as shown below….
/dev/sdb1 /var/www/webroot ext3 defaults,acl,errors=remount-ro 0 1
You may need to either reboot here or issue a remount command on your targeted drive in order to get things working. After doing so adding an ACL is pretty simple. You can check out the man pages for more in-depth documentation but to get myself up and running the following was sufficient…
setfacl -Rm u:webadmin:rwx /var/www/webroot
Voila! Done! Again this is a VERY introductory post dealing with Linux acl’s and permissions…and there are a lot more posts out there which go deeper into details but if you are looking to get up and running quickly this should do the trick! Comments, Questions, Concerns – throw them in the comments box below…