Backup and restore POSIX ACLs on Linux file systems
The inspect part of ACLbit focuses on providing clear and concise output of effective access rights of a particular user. The main purpose is to make life of sysadmins easier when finding out current access rights of a particular user when ACLs are in use, on systems with tens/hundreds of thousands of inodes, especially.
The tool is very fast both in backup and inspect phases. Backup is about 30% faster then simple ďż˝getfacl /mnt/test >file". We found no tool to compare to that provides the inspect phase. The times differ for users with a lot of ACLs and for users with a few.
ACLbit is tool to backup ACLs only. It is not an archiver so it does not backup the files themselves.
POSIX ACLs are a power feature of most modern file system. They extend the limitted owner-group-others access rights system with more fine-grained access control. With ACLs we can set different access rights on a single file/directory to users Joe and Tom, which is not possible in the traditional owner-group-others. Use the links below or Google to find more about Linux (or POSIX) ACLs.
One of the the reasons to use ACLs in enterprise environment can be Samba. With Samba it is possible to create a Windows domain and/or Windows shares on a Linux box for free. Since Windows administrators are used to set complicated access rights, they want the same functionality when using Samba. Therefore Samba maps Windows ACLs to Linux ACLs.
This is the scenario where our story starts. However, the solution we developed is general Linux ACL solution not limited to use of Samba.
A responsible system administrator who works with ACLs needs to handle two important tasks concerning ACLs: backup and inspect.
The backup task can be solved nowadays using either ACL-compliant archiver or backing up files and ACLs separately. The most known ACL-compliant archiver seems to be star that has outstanding features and is a tool of choice if you want to go this way. On the other hand, if you want to backup ACLs separately, you will probably choose the standard getfacl and setfacl programs. The former can be used for the backup part, as it simply outputs ACLs to standard output, while the latter can be used for the restore part as it takes the output of getfacl to set ACLs in file system.
So far, either approach you choose there are mature tools to use to solve the backup task.
The inspect task is far more complicated and I was not able to find a simple and fast tool that could be any help. So what is the problem? A system administrator who takes his job seriously needs answers to two basic questions.
- Who has access rights to a file/directory?
- What access rights are set to Joe?
The first question can be easily answered using getfacl, as for a single file/directory it outputs understandable text.
However, getfacl output is no use for anyone asking the second question on a file system with more then 20 files. The problem is that getfacl is a simple tool that only lists ACLs for the inspected files or directories. It does not count effective rights of a user, nor recognizes that parent directory has the same access rights as its files/subdirectories.
And here comes the mighty ACLbit. Once a file system or its part is backed up, ACLbit can use the backup database to provide the system administrator with clear and concise answer to the second question.
System administrator asks the second question.
aclbit -U joe
And gets immediate answer.
Notice that the user rights displayed are correctly computed effective access rights of user Joe. This means:
- if Joe is owner, it is the owner rights,
- otherwise if Joe is a named user, it is the respective right, with mask applied
- otherwise if Joe is a member of the owning group or of one of the named groups, it is the logical or of all the groups Joe is member of, with mask applied
- otherwise, it is the access rights of other
Further notice that there is no access rights printed for directory /usr/local/joes/something. This is due to an important feature of ACLbit: it does not output accesss rights on a file/directory if it is the same as access rights on its parent.
- Fast backup & recovery of ACLs
- Fast effective user rights search
- Fast group rights search
- Optimized for huge amounts of files/directories
- Clear and concise output
- Standards compliant
In a hurry? Add it to your Download Basket!
What's New in This Release:
- NEW: --version option.
- FIX: Fails when printing bad options error message.
- FIX: Does not handle paths with spaces correctly.
- FIX: Error when database file does not exist yet.