Did you ever wish that you could have more control over who can access your Unix files? Until recently, you had to use the chmod (change mode) command to change file permissions. The chmod command, however, provides a very general level of control. For a given file, you can assign access to:

• anyone on the system,
• the group to which you belong, or
• yourself only.

But what if you want only certain individuals to access a file? A new feature on Temple's central Unix systems called Access Control List (ACL) lets you do just this.

Setting up an ACL

An ACL is a list of all the people who can read from, write to, and/or execute a particular file in your account. Every file has an ACL. To view the ACL for a file, use the getacl command by typing at the Unix prompt getacl filename (for example, getacl quiz1). When you do this, you will see information similar to the following:

#

# file: quiz1

# owner: bjones

# group: users

#

user::rwx

group::

other::

In this particular case, the getacl command shows that bjones (who is the owner of the account) is the only one who has read, write, and execute permissions for the file.

If you wish to allow another person with an account on the same system to access the file, you can set this up using the setacl command. To do so, type the following at the Unix prompt, and note that there are no spaces after the colons:

setacl -u user:name:permissions file

In this command,

name is the loginID of the person to which you want to assign access,

permissions can be one or more of the following:

r (read),

w (write), and/or

x (execute),

file is the name of the file.

Note that you must assign read (r) access in order to also assign (w) write or execute (x) access. Also note that if you omit either a w or x, you must put a hyphen in its place. For example, to enable the person with loginID jsmith to read and modify, but not execute your file, you would type at the Unix prompt:

setacl -u user:jsmith:rw- quiz1

Now when you type getacl quiz1, the following information is displayed:

#

# file: quiz1

# owner: bjones

# group: users

#

user::rwx

user:jsmith:rw-

group::

other::

By repeatedly using the setacl command in this manner, you can allow numerous people to access your file.

Accessing a file

When you assign another person the rights to access a file, make sure to tell him or her the filename and the fully qualified name of your home directory. The fully qualified name is what appears when you type pwd at the Unix prompt. Also, to make sure the file is in this directory, type ls.

In order to access the file, this person will first need to log into his or her account and go to your home directory by typing at the Unix prompt: cd directory-name. For example, if your home directory is home/a032/bjones, he or she will need to type:

cd /home/a032/bjones

If the file is a text file, he or she can display it using the more filename command, print it, or, depending on how you set the permissions, modify it using an editor such as pico or vi. The person can also copy it to his or her home directory by typing:

cp filename directory

where directory is the fully qualified name of his or her directory. The person can then get back to his or her home directory by typing cd and pressing Enter.

In summary, ACLs provide a secure and reliable means of controlling who can and cannot view your files. Instructors or managers can use ACLs to make files available to individual students or staff members. In addition, ACLs can help foster group activity by enabling students or staff members to more easily collaborate with one another.