Facilitate fine-grained file permissions with ACL editor Eiciel.
If you’re reading this column, you probably already have a good grasp of Linux file permissions. Every file has three sets of permissions — one each for owner, group, and world — and each set of permissions control whether the owner, the named group, and everyone else can read, write, or execute the file.
This relatively simple scheme been around for decades, so it must be perfect, right? Not exactly. Standard file permissions can only associate one group with a file, and lumps all users who are not either the owner or in the same group as the owner into one large bucket. So, for example, if Alice owns a file and wants to allow Bob to read it and Carol to read and write it and Bob and Carol are in different groups, uh oh!
To grant specific rights to more than one user or group, you need access control lists, or ACL’s. With ACL’s, users can assign fine-grained permissions to multiple users and mutiple groups. Windows and Mac OS X make it pretty easy to use ACLs, and while ACLs work on Linux, the problem is that there’s no easy way to set and moodify ACLs. You can use the command-line, but it’s complicated and non-intuitive.[ For a look at the command-line interface, see the November 2004 “Guru Guidance” column, online at http://www.linux-mag.com/2004-11/guru_01.html.]
Fortunately, there’s an easier way to work with ACL’s: Eiciel is a graphical ACL editor (pictured). The program is built for GNOME, but can run on KDE as long as you have the GNOME libraries installed. There are some other prerequisites, as well. If you’re running the 2.6 kernel, native ACL support is available, but must be enabled in the kernel when the kernel is compiled. (ACL’s are typically enabled in the kernels of mainstream distributions.) If you’re still on 2.4, you must apply a patch to the kernel sources. Search the web for “linux 2.4 acl patch,” apply the patch, and start re-compiling. Your filesystem is another concern. ACL’s work with Ext2, Ext3, XFS, JFS, and ReiserFS, and even NFS.
Assuming you have a suitable kernel in place, you must install support for working with ACLs in user space. For Debian- based distros, the command apt-get install acl takes care of everything you need; if you run another distro, search its software lists for an ACL package.
Next, install Eiciel. Again, Debian-based distros can get the software easily with apt-get install eiciel, which may bring along other packages as well. Other distros may offer binaries, or simply compile the source, found at http://rofi.pinchito.com/eiciel/?s= 7.
Once Eiciel is on your computer, modify your /etc/fstab (as root, of course… so be careful!) and add the acl option. For instance, an existing entry if /etc/fstab might look like this:
/dev/sda1 / reiserfs notail 0 1
To enables ACL’s on that filesystem, edit the line and add the acl option, like so:
/dev/sda1 / reiserfs notail,acl 0 1
Now remount the filesystem to put your change into effect:
# mount / –o remount
Now it’s time to play with ACLs and Eiciel. You can run Eiciel as a normal user, but to set permissions on system files, you must start Eiciel as root.
Eiciel is easy to use; it’s the ACLs that can be hard to understand. Open the file or directory whose ACL you want to change, and then add users or groups from the bottom half of the window. For each user or group — or mask, if you want to use that term — you can set permissions. Add as many users or groups as you’d like and adjust the permissions for each entity. When you’re done, close the program. You just changed ACL’s.
As cool as Eiciel is, there are a few limitations to the program, however, and some of them are pretty severe. The biggest problem is that there is no way currently to apply changes to ACL’s widely or recursively. Want to change all of the files in a directory? You get to change them one at a time. (You can use find and setfacl from the command-line, but that sure isn’t as easy to use as Eiciel. Hopefully the developers will add recursiveness sometime soon.
Another problem is that Eiciel’s functionality is built into GNOME’s file manager but not KDE’s (not surprising, since Eiciel is a GNOME app). If you’re using Nautilus, the default file manager in GNOME, you can right-click on the file or directory whose ACL you want to set, choose Properties, and then choose the Access Control List tab. If you use Konqueror, you’ll have to open Eiciel manually and choose the file or directory you want to change.
Finally, since it’s a GNOME application, KDE users may be a bit weirded out when they find that there’s no OK or Cancel button in Eiciel. Once you make a change via Eicielm, it’s finished. Just close the app, because you just changed that file or directory’s ACLs. This conforms to GNOME’s somwhat muddle-headed UI design guidelines, but it’s not necessarily a good idea. The ability to Cancel, or at least think about your changes before committing them forever, would be nice. But here you can blame GNOME, not Eiciel.
To read more about Eiciel, check out the User’s Guide at http://rofi.pinchito.com/eiciel/doc/index.html. To really learn Eiciel, though, you need to play with it. Just be careful as you’re configuring your system for ACLs and understand that you can blow things up if you’re not careful.
Scott Granneman teaches at Washington University in St. Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Hacking Knoppix, is in stores now. You can reach him at firstname.lastname@example.org.