{"id":8853,"date":"2017-02-14T05:39:34","date_gmt":"2017-02-14T05:39:34","guid":{"rendered":"https:\/\/kb.okra.host\/article\/file-management-with-multiple-users\/"},"modified":"2021-04-06T14:42:53","modified_gmt":"2021-04-06T13:42:53","slug":"file-management-with-multiple-users","status":"publish","type":"ht_kb","link":"https:\/\/kb.okra.host\/de\/article\/file-management-with-multiple-users\/","title":{"rendered":"Dateiverwaltung mit mehreren Benutzern"},"content":{"rendered":"<p>Access control lists (<a href=\"https:\/\/wiki.archlinux.org\/index.php\/Access_Control_Lists\">ACLs<\/a>) may be used in multi-user environments to allow granular joint access to file management without allowing access by all users on the account. ACLs can be established either by the owner of the file or account admin using <a href=\"https:\/\/kb.apiscp.com\/control-panel\/scripting-with-beacon\/\">Beacon<\/a>.<\/p>\n<p>ACLs come in two forms, an active entry and default. Active are actively applied to the file or directory whereas default ACL entries are applied on directories to files created in the future within that directory.<\/p>\n<h2 id=\"using-setfacl\" >Using setfacl<\/h2>\n<p>ACLs may be set from the <a href=\"https:\/\/kb.apiscp.com\/terminal\/accessing-terminal\/\">terminal<\/a> using <code>setfacl<\/code> on all <a href=\"https:\/\/kb.apiscp.com\/platform\/determining-platform-version\/\">v5+ platforms<\/a>. <code>setfacl<\/code> may only be\u00a0applied on files owned by the current user. For files owned by another user, use <code>file_set_acls<\/code> in Beacon (below) or take ownership of the files first using <a href=\"http:\/\/api.apnscp.com\/docs\/class-File_Module.html#_chown\">file_chown<\/a> in Beacon or <a href=\"https:\/\/kb.apiscp.com\/terminal\/elevating-privileges-with-sudo\/\">chown<\/a> in sudo.<\/p>\n<p>Syntax to set an ACL entry is <code>setfacl -m [d:]<em>USERNAME<\/em>:<em>PERMISSIONS<\/em> <em>FILE<\/em><\/code>\u00a0where:<\/p>\n<ul>\n<li><code>d:<\/code> is an optional specifier to apply the ACLs as default ACLs rather than active ACLs<\/li>\n<li><em>USERNAME<\/em>\u00a0is the user on the account to apply these ACLs to<\/li>\n<li><em>PERMISSIONS<\/em> is an <a href=\"https:\/\/kb.apiscp.com\/guides\/permissions-overview\/\">octal bitmask<\/a>\u00a0between 0 and 7 or a collection of r,w,x representing read\/write\/execute permissions respectively<\/li>\n<li>The -m &#8230; command may be repeated an\u00a0infinite number of times to apply new rules to other users<\/li>\n<li>-R may be specified to apply the rules recursively<\/li>\n<\/ul>\n<h4 id=\"simple-usage\" >Simple usage<\/h4>\n<pre data-language=\"shell\"><code>$ setfacl -m user:tom:7 newdata.zip\r\n$ getfacl newdata.zip\r\n# file: newdata.zip\r\n# owner:\u00a0myadmin\r\n# group: myadmin\r\nuser::rw-\r\nuser:tom:rwx\r\ngroup::r--\r\nmask::rwx\r\nother::r--\r\n<\/code><\/pre>\n<h3 id=\"more-examples\" >More examples<\/h3>\n<ul>\n<li>Granting an additional user read access<br \/>\n<code>setfacl -m u:lisa:r file<\/code><\/li>\n<li>Revoking write access from all groups and all named users (using the effective rights mask)<br \/>\n<code>setfacl -m m::rx file<\/code><\/li>\n<li>Removing a named group entry from a file\u2019s ACL<br \/>\n<code>setfacl -x g:staff file<\/code><\/li>\n<li>Copying the ACL of one file to another<br \/>\n<code>getfacl file1 | setfacl --set-file=- file2<\/code><\/li>\n<li>Copying the access ACL into the Default ACL<br \/>\n<code>getfacl --access dir | setfacl -d -M- dir<\/code><\/li>\n<\/ul>\n<h3 id=\"further-reading\" >Further reading<\/h3>\n<p>Check out the man page on both <a href=\"https:\/\/linux.die.net\/man\/1\/setfacl\">setfacl<\/a> and <a href=\"https:\/\/linux.die.net\/man\/1\/getfacl\">getfacl<\/a><\/p>\n<h2 id=\"using-beacon\" >Using Beacon<\/h2>\n<p><a href=\"https:\/\/kb.apiscp.com\/control-panel\/scripting-with-beacon\/\">Beacon<\/a> provides an alternative interface to ACLs that can run from using <a href=\"http:\/\/api.apnscp.com\/docs\/class-File_Module.html#_set_acls\">file_set_acls<\/a> and <a href=\"http:\/\/api.apnscp.com\/docs\/class-File_Module.html#_get_acls\">file_get_acls<\/a>. ACLs set via Beacon override traditional discretionary access checks when applied as the primary account holder; this means that as the primary user, you can alter any ACL on any file whereas using setfacl from the terminal requires that the file you are adjusting be owned by you.<\/p>\n<pre data-language=\"shell\"><code>$ beacon eval file_set_acls \/var\/www\/html redline 7\r\n1\r\n$ getfacl \/var\/www\/html\r\ngetfacl: Removing leading '\/' from absolute path names\r\n# file: var\/www\/html\r\n# owner:\u00a0myadmin\r\n# group:\u00a0myadmin\r\nuser::rwx\r\nuser:redline:rwx\r\ngroup::r-x\r\nmask::rwx\r\nother::r-x<\/code><\/pre>\n<p>To set default ACLs, supply a third parameter: <em>default:1<\/em> and to apply recursively, <em>recursive:1<\/em><\/p>\n<pre data-language=\"shell\"><code>$ beacon eval file_set_acls \/var\/www\/html\/test redline 7 [default:1,recursive:1]\r\n1\r\n$ getfacl \/var\/www\/html\/test\/foo\r\ngetfacl: Removing leading '\/' from absolute path names\r\n# file: var\/www\/html\/test\/foo\r\n# owner: myadmin\r\n# group:\u00a0myadmin\r\n# flags: -s-\r\nuser::rwx\r\nuser:redline:rwx #effective:r-x\r\ngroup::rwx #effective:r-x\r\nmask::r-x\r\nother::--x\r\ndefault:user::rwx\r\ndefault:user:redline:rwx\r\ndefault:group::rwx\r\ndefault:mask::rwx\r\ndefault:other::--x\r\n<\/code><\/pre>\n<p>To clear an ACL entry for a specific user, do not supply a permission parameter:<\/p>\n<pre data-language=\"shell\"><code>$ beacon eval file_set_acls \/var\/www\/html\/test redline \r\n$ getfacl \/var\/www\/html\/test\/foo\r\ngetfacl: Removing leading '\/' from absolute path names\r\n# file: var\/www\/html\/test\/foo\r\n# owner: myadmin\r\n# group: myadmin\r\n# flags: -s-\r\nuser::rwx\r\ngroup::rwx #effective:r-x\r\nmask::r-x\r\nother::--x\r\ndefault:user::rwx\r\ndefault:group::rwx\r\ndefault:mask::rwx\r\ndefault:other::--x<\/code><\/pre>\n<p>Lastly, to mix and match users:<\/p>\n<pre data-language=\"shell\"><code>$ beacon eval file_set_acls \/var\/www\/html\/test [redline:7,apache:7]\r\n1\r\n$ getfacl \/var\/www\/html\/test\r\ngetfacl: Removing leading '\/' from absolute path names\r\n# file: var\/www\/html\/test\r\n# owner:\u00a0myadmin\r\n# group:\u00a0myadmin\r\nuser::rwx\r\nuser:apache:rwx\r\nuser:redline:rwx\r\ngroup::r-x\r\nmask::rwx\r\nother::r-x<\/code><\/pre>\n<h2 id=\"see-also\" >See also<\/h2>\n<ul>\n<li>KB:\u00a0<a href=\"https:\/\/kb.apiscp.com\/guides\/permissions-overview\/\">Permission overview<\/a><\/li>\n<li>KB: <a href=\"https:\/\/kb.apiscp.com\/control-panel\/scripting-with-beacon\/\">Scripting with Beacon<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Access control lists (ACLs) may be used in multi-user environments to allow granular joint access to file management without allowing access by all users on the account. ACLs can be established either by the owner of the file or account admin using Beacon. ACLs come in two forms, an active&#8230;<\/p>","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[64],"ht-kb-tag":[],"class_list":["post-8853","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-platform"],"_links":{"self":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/comments?post=8853"}],"version-history":[{"count":1,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8853\/revisions"}],"predecessor-version":[{"id":8854,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8853\/revisions\/8854"}],"wp:attachment":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/media?parent=8853"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-category?post=8853"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-tag?post=8853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}