acl viewer in php

this month I will post some try-outs for a project for work. A web UI written in php to view, and eventually edit, the Access Control List of a file/directory .

I’ll be posting the code I use in this post.

03 – 02 2010

Hardware/software

I’ll be using a standard server (3Ghz, 1Gb RAM) with ubuntu 8.04.3.

Partitioned as followed:

  • /boot => /dev/sda1 (ext2,255 Mb)
  • swap => /dev/sda2 (swap, 1 Gb)
  • lvm:acl-test => /dev/sda3(lvm,230 Gb)
    • acl-test-root => lvm:acl-test (ext3, 10Gb)
    • acl-test-www => lvm:acl-test (ext3, 100 Gb) [u never know ..]
    • acl-test-home => lvm:acl-test (ext3, 120 Gb) [shared in samba]

using the following software installed (displayed in apt-get install style)

apt-get install php-cli php-myadmin # needed packaged such as apache2, mysql server, etc. will be installed

apt-get install acl # The Access Controll List

apt-get install samba

Activating the acl on the partitions

add acl to the config of the partition in /etc/fstab (under <options>)

and execute the following as root:

mount -o remount,acl /dev/mapper/acl-test-root
mount -o remount,acl /dev/mapper/acl-test-www
mount -o remount,acl /dev/mapper/acl-test-home

et voilá! You are ready to use some acl! (hell yeah!)

test it out by executing the following (I did this as root)

getfacl ~

Output should be something like this:

# file: root
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

tomorrow we’ll be writing some php and letting php to set the acl of a file/directory.

04 – 02 2010

Php has to be allowed to edit the acl from a file or directory, so we have to give the user (in my case) www-data the ability to use the following commands:

  • setfacl
  • getfacl

we can set this by using sudo like this:

root@acl-test ~#visudo

and insert at the end of the file the following line:

www-data ALL=NOPASSWD: /usr/bin/getfacl, /usr/bin/setfacl

The layout

to keep it simple, ill write something that generates the output like this:

a simple table that lists the users rights on the main directories.

10 – 02 2010

Ok, it’s been a wile since I post here, but i’m back! The good news is: phacl is finnished!

I walk you trough the steps I made to make phacl alive and kickin’.

getfacl.inc.php

This file contains the function to parse the getfacl output to an php array.

whe need to parse the following output:

# file: gebruiker01
# owner: gebruiker01
# group: gebruiker01
user::rwx
user:root:rwx
user:gebruiker01:rwx
user:gebruiker02:---
user:gebruiker03:---
user:gebruiker04:--x
group::r-x
mask::rwx
other::r-x

to something like this:

$getfacl = Array
(
    [owner] => gebruiker01
    [group] => gebruiker01
    [users] => Array
        (
            [_all] => Array
                (
                    [name] => _all
                    [r] => 1
                    [w] => 1
                    [x] => 1
                )

            [root] => Array
                (
                    [name] => root
                    [r] => 1
                    [w] => 1
                    [x] => 1
                )

            [gebruiker01] => Array
                (
                    [name] => gebruiker01
                    [r] => 1
                    [w] => 1
                    [x] => 1
                )

            [gebruiker02] => Array
                (
                    [name] => gebruiker02
                    [r] =>
                    [w] =>
                    [x] =>
                )

            [gebruiker03] => Array
                (
                    [name] => gebruiker03
                    [r] =>
                    [w] =>
                    [x] =>
                )

            [gebruiker04] => Array
                (
                    [name] => gebruiker04
                    [r] =>
                    [w] =>
                    [x] => 1
                )

        )

    [groups] => Array
        (
            [_all] => Array
                (
                    [name] => _all
                    [r] => 1
                    [w] =>
                    [x] => 1
                )

        )

)

Ok. let’s start.

<?
function getfacl($f){
 //inital parsing
 $facl = shell_exec("getfacl $f");
 $facl_ = explode("\n",$facl);
 //print_r($facl_);
 foreach ($facl_ as $line){

}
}
?>

what I’m doing here is simply splitting each line of getfacl output and setting up a “foreach” for each line.

next: getting the creator

<?
function getfacl($f){
 //inital parsing
 $facl = shell_exec("getfacl $f");
 $facl_ = explode("\n",$facl);
 //print_r($facl_);
 foreach ($facl_ as $line){
 // Getting creator
 if (!preg_match("/^# file.*/",$line) && preg_match("/^#.*/",$line)){
 $facl_rule = explode(": ",$line);
 //print_r($facl_rule);
 if ($facl_rule[0] == "# owner"){
 $facl_output['owner'] = $facl_rule[1];
 } else if ($facl_rule[0] = "# group"){
 $facl_output['group'] = $facl_rule[1];
 }
}
return $facl_output;
}

here we check with preg_match if a line begins with an “#” and it’s not the line that starts with “# file:”,cause we don’t need that.

Quick tip: Want to learn regex fast? try installing txt2regex (sudo apt-get install txt2regex, or click here) .Rrun it in a terminal with ‘txt2regex’ and follow the steps ;)

next, we are going to fill up the array $facl_output with the rest of the info.

Tags: , , ,

One Response to “acl viewer in php”

  1. subutux says:
    March 16, 2010 at 2:01 am

    Will be posting more of this if i get the time to do it..

    Reply

Leave a Reply

Note: Commenter is allowed to use '@User+blank' to automatically notify your reply to other commenter. e.g, if ABC is one of commenter of this post, then write '@ABC '(exclude ') will automatically send your comment to ABC. Using '@all ' to notify all previous commenters. Be sure that the value of User should exactly match with commenter's name (case sensitive).