User:Kubapet/Richacls

Richacls are an implementation of NFSv4 ACLs which has been extended by file masks to more easily fit the standard POSIX file permission model. Nowadays, they offer the most complex permission model for ext4 file system in Linux operating system. They are even more complex than POSIX ACLs, which means it is not possible to convert back from Richacls to POSIX ACLs without loosing information. One of the most important advantages is that they distinguishes between write and append permission and also between delete and delete child permissions. They are also designed to support windows interoperability.

Richacls use ext4 extended atributes (xattrs) to store ACLs. Entries in ACL are called ACE (Access Control List Entry).

Support in the Linux Kernel
There is still not support for Richacls in recent version of official Linux kernel (Vanilla sources). Thus in favor of getting Richacl work it is neccesary to do one of the following:
 * Apply an additional kernel patch and compile own kernel. The patch is available at project homepage
 * Use some Linux distribution which has included this patch yet. For example OpenSUSE version 11.3 and above.

To verify whether your system has compatibility for Richacls, in most cases you can simply type the following command to system console:

The output should be such:

Enabling Richacls
Once you have running Richacls support on your system, you can enable them up on certain file system. Following example shows how to enable Richacls on root filesystem.

The verification can be done in such way: and the output should show Richacls enabled:

Richacls can be also enabled permanently by adding richacl parameter to certain mount entry in /etc/fstab.

Richacl manipulation tools
For manipulation with Richacl entries there is utility called richacl, which is also available at project homepage. This tool can perform several basic operations for specific file or directory such is:
 * show ACL
 * set ACL
 * modify individual ACEs
 * remove ACL
 * show current permissions of certain user or group

Format of Richacl ACEs
Format of each ACL entry (ACE) coresponds to  : : : .

Where values of   can be: Values with @ symbol are used to defining permissions for owner, owning group and others.
 * certain user ID or group ID
 * owner@
 * group@
 * everyone@

To define value of  , there are 16 permission bits (according to NFSv4 resp. NFSv4.1 specification) but five of them are not implemented. The meaning of each bit is described in the following table.

The value of   can consit of following:

Value of   are ALLOW or DENY. NFSv4 specification uses also AUDIT and ALARM ACE type, but these are accepted and stored, but not implemented in Richacls.

DENY ACE type has higher priority.

Sample usage
Example above defines such permission politic, that each user in group powerusers can read, write and append files in /srv/files/exchange/ and subdirectories.

Moreover, users in powerusers group can delete their own files and directories (and their content).

Except this, users of group storageadmins can manipulate with data arbitrarily. They can also modify ACLs.

Other users have no access to given directory at all.

This permission model is unrealizable by using POSIX ACLs, even with sticky bit, because of neccesary inheritance.