Skip to the content

Kansas State University

  1. K-State Home >
  2. Information technology >
  3. Help and training >
  4. Tools for web publishing >
  5. Using Access Control Lists for web publishing

Using Access Control Lists for Web Publishing

Access Control Lists (ACLs) are a feature of the Unix operating system that controls which user IDs can read and write to files.  Most directories used for web publishing on the www.ksu.edu server are controlled with ACLs.

How do ACLs affect web publishing?

Just as with other schemes of managing permissions, you must flag files as being readable by the web server before they are accessible on the web. In the past, most people used the Unix chmod command to make the change. Although some formats of the chmod command work fine with ACLs, it is simpler to use the setfacl command, i.e.,

setfacl -m mask:rwx filename

where filename is the name of the file. Wildcards can be used, so most people use "*" as the filename to change all their files:

setfacl -m mask:rwx *

Note that you can only use the setfacl command on files you own, i.e., files that were created by you.

Those used to other access control schemes, such as simple file ownership (as used on the www-personal.ksu.edu server) or Unix groups (previously used for the www.ksu.edu server), should notice few differences.

How can I tell who has access to my web directory?

Move into the directory (using the cd command) and run the command

getfacl .

How can I change the people that have access to the directory?

Using ACLs is a step towards people being able to control read/write access to their web directories.  However, we have not yet built the web infrastructure to allow people to make changes in a secure, authenticated, and authorized manner.  In the mean time, if you need changes, the web coordinator can mail them to  webmaster@k-state.edu.  We can generally make changes within a few days.

Why not use setfacl directly?

In theory, using the Unix setfacl directly would allow people to control access.  In practice, setfacl has three limitations that hamper its use.

  1. You can only change the ACL on files that you own, i.e., created.  Even if you have read/write access to a file due to its ACL, so you can modify the contents of the file, you cannot modify the file's ACL.
    This means that if three people are cooperating to create web pages, when a fourth person needs to be added, all three people must alter the ACL for their own files.
  2. The setfacl command doesn't have an option to recursively apply to subdirectories.  This means that people with files in separate directories will have to run the setfacl command in each directory.
  3. The setfacl command has an intimidating syntax.  To see the manual page, enter man setfacl from a Unix prompt.

To help work around these limitations, we recommend that you leave the details of the ACLs to us.  We can make the changes needed when people are to be added or deleted.  Also, periodically we reset the ACLs on all the files.  This helps recover from the situation where one authorized author forgets to allow read/write access by others cooperating on the same web site.

If you would prefer to use the setfacl command directly, let us know so that we don't accidentally reset your ACLs with the last version we knew about.