Navigation

← Previous Changeset
Next Changeset →

Changeset 1046

Timestamp:

10/15/06 10:42:43 (2 years ago)

Author:

tushar

Message:

Moved acl to OLD

Files:

trunk/OLD/acl.txt (modified) (3 diffs)
trunk/acl.txt (deleted)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/OLD/acl.txt

r638	r1046
1		TITLE: Linux ACLs
2		LFS VERSION: 3.3+
3		AUTHOR: Kelledin <kelledin@users.sourceforge.net>
4		HINT VERSION: 1.1
5		DATE: Thu Jun 13 2002
	1	AUTHOR: Kelledin <kelledin@users.sourceforge.net>
	2	DATE: 2003-09-06
	3	LICENSE: GNU Free Documentation License
	4	SYNOPSIS: Adding ACL support to your LFS
	5	DESCRIPTION:
	6	ACLs (Access Control Lists) are a means of fine-grained control of filesystem
	7	access permissions. These are useful not just for extending local filesystem
	8	security on your Linux system, but also for serving Windows clients via samba.
6	9
7		SYNOPSIS
8		Getting ACLs to work in Linux, with proper support from fileutils.
	10	PREREQUISITES: LFS-CVS-20030906 or later, kernel 2.4.21
9	11
	12	HINT:
10	13
11		BACKGROUND INFORMATION:
	14	1. Background Information
12	15	------------------------------------------------------------------------------
13	16	Access Control Lists (ACLs) are a means of providing fine-grained per-user
…	…
22	25	Currently ACLs are the only major use of EAs in Linux.
23	26
24		Currently, Linux can support POSIX ACLs in ext2/3 and SGI's XFS. ~~Standard~~
25		system calls have recently been reserved for ACLs, so expect other filesystems
26		to start sporting ACL support soon. ReiserFS won't have ACLs until Reiser4. :(
	27	Currently, Linux can support POSIX ACLs in ext2/3 and SGI's XFS. ReiserFS,
	28	however, will probably not get ACL support until Reiser4 (which is currently
	29	experimental).
27	30
28		As far as networked filesystems go, Linux can support ACLs via Samba shares,
29		but not with the current NFS implementation. NFSv3 simply doesn't have the
30		necessary underlying mechanisms; such mechanisms are planned for the NFSv4
31		standard (which is in the works). This simply means that if you move files
32		around on NFS shares, you can't depend on them to retain their ACL/EA metadata.
	31	As far as networked filesystems go, samba servers can support ACLs when
	32	working with Windows-based clients, but not Linux/UNIX-type clients. Cross-
	33	platform NFS support is even more tricky with ACLs. Patches to extend the
	34	current NFSv3 implementation are available from http://acl.bestbits.at/ ;
	35	however, they are not covered here, and the full extent of their ACL support
	36	is unknown.
33	37
34	38
35		CAVEATS:
	39	2. Caveats
36	40	------------------------------------------------------------------------------
37		It should be noted that at the time of this writing, ACL support doesn't play
38		nice with quota support in ext3. You will likely have frequent lockups if
39		you try to use both at the same time. Also, ACL/EA support on the whole is
40		very immature in Linux. You have been warned.
	41	It should be noted that some versions of ACL support don't play nice with
	42	quota support in ext3. You will likely have frequent lockups if you try to
	43	use both at the same time.
41	44
42		It should also be noted that many shell scripts are liable to be broken by the
43		updated fileutils. This is because "ls -l" will now mark each ACL-enabled
44		entry with a "+" sign trailing after the traditional permissions bits. In
45		short, instead of this:
	45	It should also be noted that if you're using fileutils instead of the newer
	46	coreutils, an ACL-enabled fileutils has a few quirks that break some shell
	47	scripts. This is because "ls -l" from an ACL-enabled fileutils will mark each
	48	ACL-enabled entry with a "+" sign trailing after the traditional permissions
	49	bits. In short, instead of this:
46	50
47		-rw-r--r-- 1 root root 27173 Jun 12 02:41 filename
	51	-rw-r--r-- 1 root root 27173 Jun 12 02:41 filename
48	52
49	53	"ls -l" will print this instead:
50	54
51		-rw-r--r--+ 1 root root 27173 Jun 12 02:41 filename
	55	-rw-r--r--+ 1 root root 27173 Jun 12 02:41 filename
52	56
53	57	Any shell script that parses the output of "ls -l" for itself is liable to not
54		expect that "+" sign. Fortunately, this is usually trivial to fix in the
55		script, but it's inconvenient all the same. The optimal solution would be to
56		have a command-line switch to ls that turns ACL reporting on or off. I may
57		just fix this myself soon, so stay tuned. ;)
	58	expect that "+" sign.
	59
	60	coreutils-5.0 does not add this extra "+" sign.
58	61
59	62
60		DOWNLOAD:
	63	3. Download
61	64	------------------------------------------------------------------------------
62	65	In order to get ACL/EAs working, you will first need kernel patches. You
63		should try to make this work with a recent (2.4.18+) kernel.
	66	should try to make this work with a recent (2.4.18+) kernel. This hint
	67	recommends and assumes that you use a reasonably vanilla 2.4.21 kernel.
64	68
65		If you plan to use ACLs with ext2/3, you need the appropriate patches from
66		http://acl.bestbits.at/. Last time I checked, the following patches were
67		current:
	69	If you plan to use ACLs with ext2/3, you need the following patch:
68	70
69		http://acl.bestbits.at/current/diff/linux-2.4.18ea-0.8.26.diff.gz
70		http://acl.bestbits.at/current/diff/linux-2.4.18acl-0.8.27.diff.gz
71
72		If you plan to use ACLs with SGI XFS, you need some version of the Big XFS
73		Kernel Patch(tm). I'm using the one from XFS release 1.1:
74
75		ftp://oss.sgi.com/projects/xfs/download/Release-1.1/kernel-patches/ \
76		xfs-1.1-2.4.18-all.patch.bz2
77		# the URL is quite long, yes.
78
79		You will also need userland libraries. Thanks to the recent ACL/EA syscall
80		reservations, both XFS and ext2/3 ACLs are served by the same set of
81		libraries:
82
83		ftp://oss.sgi.com/projects/xfs/download/cmd_tars/attr-2.2.0.src.tar.gz
84		ftp://oss.sgi.com/projects/xfs/download/cmd_tars/acl-2.2.4.src.tar.gz
85
86		You should also compile a version of fileutils that works with ACLs, so that
87		you don't lose ACL information with day-to-day file manipulation. You need
88		the following packages for this:
89
90		ftp://alpha.gnu.org/pub/gnu/fileutils/fileutils-4.1.8.tar.gz
91		http://acl.bestbits.at/current/diff/fileutils-4.1.8acl-0.8.25.xdelta
92		ftp://skarpsey.dyndns.org/fileutils-4.1.8acl-cpfix.patch.bz2
93
94		The xdelta file is the preferred method of patching ACL support into fileutils;
95		the bzipped patch is a Kelledin(tm) special that fixes an ACL preservation bug.
96		For the sake of convenience (especially for those who don't have XDelta), I've
97		provided all the above fileutils stuff, rolled up into one nice little package:
98
99		ftp://skarpsey.dyndns.org/fileutils-4.1.8acl-kelledin.tar.bz2
	71	http://acl.bestbits.at/current/diff/ea+acl+nfsacl-2.4.21-0.8.60.diff.gz
100	72
101	73
	74	If you plan to use ACLs with SGI XFS, you need the patches from:
102	75
103		COMPILE:
	76	ftp://oss.sgi.com/projects/xfs/Release-1.3.1/kernel_patches/ \
	77	linux-2.4.21-core-xfs-1.3.1.patch.gz
	78	ftp://oss.sgi.com/projects/xfs/Release-1.3.1/kernel_patches/ \
	79	linux-xfs-1.3.1.patch.gz
	80
	81	It should be noted that as of Dec 8 2003, SGI XFS is integrated with the
	82	vanilla Linux kernel. 2.4.24 should come with XFS support when it is released,
	83	so the above XFS patches will likely be unnecessary.
	84
	85	You will also need userland libraries and utilities. Thanks to the recent
	86	ACL/EA syscall reservations, both XFS and ext2/3 ACLs are served by the same
	87	packages. However, the packages hosted at http://acl.bestbits.at are very
	88	outdated. It is recommended that you retrieve the packages from the SGI
	89	FTP server:
	90
	91	ftp://oss.sgi.com/projects/xfs/cmd_tars/attr-2.4.12.src.tar.gz
	92	ftp://oss.sgi.com/projects/xfs/cmd_tars/acl-2.2.21.src.tar.gz
	93
	94
	95	You should also compile a version of coreutils that works with ACLs, so that
	96	you don't lose ACL information with day-to-day file manipulation. In addition
	97	to the coreutils source package, you need the coreutils patchset for this:
	98
	99	http://acl.bestbits.at/current/diff/coreutils-5.0-0.tar.gz
	100
	101
	102	4. Compile
104	103	------------------------------------------------------------------------------
105	104	Now the fun really begins.
…	…
107	106	First, apply the necessary patches and compile a kernel with ACL support
108	107	(CONFIG_FS_POSIX_ACL=y). This can be found under "Filesystems" when
109		using "make menuconfig." Once you've got the kernel compiled and installed,
110		it may be necessary to copy your new kernel headers to /usr/include/{linux,asm}
111		all over again (I hear FHS zealots wailing already). Because of the known
112		dangers of mismatching kernel headers and glibc headers, it's best to do the
113		header copy at the beginning of Chapter 6 in the LFS book, BEFORE you compile
114		glibc. Just substitute your ACL-patched kernel for the stock LFS kernel, and
115		you should be fine.
	108	using "make menuconfig." For XFS, you may also need to enable certain
	109	suboptions of XFS support, found in the same menu screen.
116	110
117		For the next bit, compile the attr-2.2.0 libraries:
	111	Once you've got the kernel compiled and installed, it may be necessary to copy
	112	your new kernel headers to /usr/include/{linux,asm,asm-generic} all over again
	113	(I hear FHS zealots wailing already).
	114
	115	For the next bit, compile the attr-2.4.12 libraries:
118	116
119	117	# set CFLAGS...
120	118	./configure --prefix=/usr --enable-shared --enable-static &&
121		make OPTIMIZER="$CFLAGS" DEBUG="-DNDEBUG" &&
122		make install install-lib install-dev
	119	make OPTIMIZER="" DEBUG="-DNDEBUG" &&
	120	make install install-lib install-dev &&
	121	mv /usr/libexec/libattr.*a /lib &&
	122	rm -f /usr/libexec/libattr.* /lib/libattr.so &&
	123	ln -s ../../lib/libattr.so.1.1.0 /usr/lib/libattr.so
123	124
124		Now compile the acl-2.2.4 libraries:
	125
	126	Now compile the acl-2.2.21 libraries:
125	127
126	128	# set CFLAGS...
127	129	./configure --prefix=/usr --enable-shared --enable-static &&
128		make OPTIMIZER="$CFLAGS" DEBUG="-DNDEBUG" &&
129		make install install-lib install-dev
	130	make OPTIMIZER="" DEBUG="-DNDEBUG" &&
	131	make install install-lib install-dev &&
	132	mv /usr/libexec/libacl.*a /lib &&
	133	rm -f /usr/libexec/libacl.*a /lib/libacl.so &&
	134	ln -s ../../lib/libacl.so.1.1.0 /usr/lib/libacl.so
	135
130	136
131	137	At this point, you should immediately be able to examine ACL's on an XFS
132		filesystem using getfacl and setfacl. ext3 may take further setup; I have no
133		experience with it, so I can't say.
	138	filesystem using getfacl and setfacl.
134	139
135		Now compile fileutils-4.1.8. I'm assuming you either knew how to do all the
136		necessary patching, or you just got my pre-patched tarball:
	140	In order to enable ACLs on ext2/ext3, you will need to configure certain mount
	141	options. The "user_xattr" option enables user-accessible extended attributes;
	142	the "acl" option enables ACL support. You can either specify these options at
	143	every mount (possibly via /etc/fstab) or make these options enabled-by-default
	144	on a specific ext2/ext3 filesystem via tune2fs:
	145
	146	tune2fs -o user_xattr /dev/<fs-device>
	147	tune2fs -o acl /dev/<fs-device>
	148
	149	Now you need to patch coreutils. This is a bit complicated, as the coreutils
	150	patchset from acl.bestbits.at is a disorganized mess. I will assume you have
	151	untarred the patchset in /usr/src:
137	152
138	153	# set CFLAGS...
139		./configure --prefix=/usr --bindir=/bin &&
140		make &&
141		make install &&
142		ln -sf ../../bin/install /usr/bin
	154	patch -p1 < /usr/src/coreutils-5.0-0/coreutils-acl.diff &&
	155	patch -p1 < /usr/src/coreutils-5.0-0/coreutils-acl+posix.diff &&
	156	patch -p1 < /usr/src/coreutils-5.0-0/coreutils-xattr.diff &&
	157	patch -p1 < /usr/src/coreutils-5.0-0/coreutils-i18n.patch &&
	158	patch < /usr/src/coreutils-5.0-0/coreutils-5.0.dif &&
	159	patch < /usr/src/coreutils-5.0-0/coreutils-tests.patch
143	160
144		~~Now you should have an ACL-enabled LFS build. Congratulations. ;)~~
145	161
	162	Now you should compile coreutils according to the instructions in your favorite
	163	version of the LFS book.
	164
	165	At some point, you may wish to compile samba with ACL support. This is a
	166	simple matter of passing the "--with-acl-support" flag to samba's configure
	167	script.
	168
	169
	170	5. Aftermath
	171	------------------------------------------------------------------------------
	172	You should now be able to view and modify ACLs on an ACL-ready filesystem, by
	173	way of the setfacl and getfacl utilities from the acl package. coreutils will
	174	not view or modify ACLs directly but will preserve them when moving, copying,
	175	or creating files.
	176
	177	A properly compiled samba should be able to support ACLs over the network.
	178	While samba servers aren't in the habit of providing even complete UNIX-style
	179	permissions to UNIX/Linux clients, an ACL-enabled samba server is better
	180	equipped to support Windows clients.
	181
	182	------------------------------------------------------------------------------
	183
	184	CHANGELOG:
	185	[2003-12-08]
	186	* Updated with ext2/ext3 instructions (thanks to Daniel Thaler).
	187	* Updated to support new SysV-free XFS 1.3.1 release.
	188	* Updated to include newer versions of acl and attr.
	189
	190	[2003-09-06]
	191	* Updated to support coreutils, linux-2.4.21, and recent new XFS 1.3 release.
	192	* Rewrote to accommodate new hints format.

Navigation

Changeset 1046

Legend:

trunk/OLD/acl.txt

Download in other formats: