Rights management on Linux is enough for most use.
In a few words, a file or a directory belongs to the owner and what you can do is positionning some right to this owner, to his group or all other users (= guests).
This is not bad, but sometimes you (or your application) may need more advanced right management, as on the latest windows versions : putting several owners with different rights, inheritance, etc.
There are named ACL (Access List Management) and they are supported on Linux also.
This is not going to be an how-to but just a brief informative introduction to ACL on Linux. You will find many how-to on the web if you need more.
Fisrt, you will need a kernel that supports ACL. As far as I now, most of modern distributions include it in their 2.6.x kernel.
To ensure, type :
$ grep ACL /boot/config-kernel-version
If your kernel supports it, you will get many lines like :
CONFIG_FS_POSIX_ACL=y CONFIG_EXT3_FS_POSIX_ACL=y ...
If you don’t, you will have to recompile your kernel with the right module.
Let’s say that we are going to add ACL management to the /home partition (on /dev/sda3) :
$ mount -t ext3 -o defaults,acl /dev/sda3/ /home
Or, if /home were already mounted :
$ mount -o remount,acl /home
If you want to add it at startup, edit /etc/fstab in the following way :
/dev/sda3 /home ext3 defaults,acl 0 0
Now take your favorite packages manager and set up ACL tools, which allow us to assign ACL to files. Mine will be :
$ apt-get install acl
Now you can assign ACL using setfacl or consulting them using getfacl.
Use man to get some precise examples of syntax.
Be advised of the following :
– using cp with default does not preserve ACL. Use cp -a.
– using mv always keep ACL.
– in any case, if you copy/move files to a partition which is not mounted with ACL management (or with a file system that does not support it), ACL are lost.
– ls -l gives an output with a ‘+‘, that indicates that some ACL are presents. For more information, use getfacl.
– KDE supports ACL in its interface, but Gnome does not yet. Maybe there is a workaround, but I haven’t tried yet.