Home > bash, security, ubuntu > setfacl / getfacl

setfacl / getfacl

With ACL (Access Control List) you can set exactly who can access your files and directories. With ACL you can set things like “nobody can read this file except user XY”, or “no one can write this directory except the user Z”.

With setfacl you can set the ACL rights. With getfacl you can ask the ACL rights of a file/folder.

Example #1
You have a pmwiki installation that runs on an Apache webserver. PmWiki has a directory called “wiki.d” that must be writable too, otherwise you cannot edit your wiki from a browser. Behind the scenes it’s Apache’s www-data user who wants to write in this directory.

A naive approach is to “chmod 777 pmwiki/wiki.d”. In this case anyone with a shell access to the server can modify the content of this folder.

A better way is to give the necessary grants to Apache’s www-data user:

setfacl -R -m u:www-data:rwx $HOME/public_html/pmwiki/wiki.d

Thanks to Jeszy for the tip.

Example #2
You have a web application that uses an SQLite database. Again, the www-data user would like to write into it. In addition, www-data must be able to write to the directory too that contains the database file.

$ cd /home/jabba/public_html/myapp
# say we have here an sqlite.db file
$ setfacl -m u:www-data:rw sqlite.db
$ setfacl -m u:www-data:rwx .

To grant rights to a group, use “g:groupid:rights” instead of “u:userid:rights“.

Categories: bash, security, ubuntu Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: