Setting up Access Control Lists (ACL) on Linux


How to configure Access Control Lists (ACLs) on Linux


In this article, We help you to understand and Setting up Access Control Lists (ACL) on Linux.

Why do we need ACL?


  1. Default (Traditional) file permissions in Linux have some limitation.

  2. Default permissions can be set only for one owner, one group and Other users. So different permissions cannot be configured for different users and groups. Thus, Access Control Lists (ACL) were implemented.

For example, let us assume that owner of the file is "user1" and group of the file is "dba". You are asked to give access to the user2 also without changing the ownership.?

We cant give the full access to others area, which is not recommened due to security reason. the other options would be bringing the user2 into dba group, if so other member from the dba group also will have the same permission.

To overcome this situation, we implement the Access control lists (ACL) in LINUX.

What is LINUX ACCESS CONTROL LISTS (ACL)?

ACL can be used as an extension of the traditional file permission concept. They allow to provide the permissions to individual users or groups.

Access control lists are a feature of the Linux kernel and are currently supported by ReiserFS, Ext2, Ext3, JFS, and XFS filesystems. Older linux kernel version required enabling ACL feature while mounting the filesystem. Nowadays it is not required.

Managing or accessing the ACL in LINUX?

With "getfacl" and "setfacl" on the command line, we can manage the ACL in Linux. The usage of these commands is demonstrated in the following examples.

Viewing or checking existing ACL permission:

With "getfacl", we can view the existing ACL permission of a file or directory. The syntax of the command is,
getfacl myfolder1

where myfolder1 is the directory name.

Above command will give you the information like below,
# file: myfolder1
# owner: user1
# group: dba
user::rwx
group::r-x
other::---

The first three output lines display the name, owner, and owning group of the directory. The next three lines contain the three ACL entries owner, owning group, and other. Here there is no additional ACL permissions are set.

Setting up the Access Control Lists (ACL)


To modify ACL, use "setfacl" command. To add permissions use "setfacl -m".

Add permissions to some user:
# setfacl -m "u:username:permissions"
or
# setfacl -m "u:uid:permissions"

Example:
setfacl -m u:user1:r-x mydata

Add permissions to some group:
# setfacl -m "g:groupname:permissions"
or
# setfacl -m "g:gid:permissions"

Example:
setfacl -m g:sales:r--"

Remove all extended ACL permissions:

# setfacl -b myfolder

The above command will delete all extended ACL permissions and will keep only default file permissions.

Remove each entry:
# setfacl -x "entry"

Example:
setfacl -x u:user1 mydata

Lets take an example for clear understanding, Modify the permissions with ACL to assign read, write, and execute permissions to an additional user "user2" and an additional group "admin".

Add permissions to user "user2" and group "admin":
# setfacl -m "u:user2:rwx,g:admin:rwx" myfolder1

Check the permission:
getfacl myfolder1
# file: myfolder1
# owner: user1
# group: dba
user::rwx
user:user2:rwx
group::r-x
group:admin:rwx
mask::rwx
other::---

In addition to this entries, a mask entry has been generated. It was initiated for the user "user2" and the group "admin". This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.

To identify whether the ACL permission is set or not?

Use "ls -l" command to easily.
drwxrwx---+ ... user1 dba ... myfolder1

The first column of the output contains an additional "+" to indicate that there is an extended ACL for this item. If set, then use "getfacl" command to see more about it.

According to the output of the ls command, the permissions for the mask entry include write access. But Traditionally, such permission bits set means the owning group "dba" also has write access to the directory myfolder1.

But actual permission for "dba" is "r-x" which is overlapping the permissions  with the other group "admin".

As far as the effective permissions of the owning group in this example are concerned, nothing has changed even after the addition of the ACL entries.

Edit the mask entry with setfacl or chmod. For example, use chmod g-w mydir. ls -dl myfolder1 then shows:
drwxr-x---+ ... user1 dba ... myfolder1

getfacl myfolder1 provides the following output:
# file: myfolder1
# owner: tuser1
# group: dba
user::rwx
user:user2:rwx          # effective: r-x
group::r-x
group:admin:rwx       # effective: r-x
mask::r-x
other::---

After executing the chmod command to remove the write permission from the group class bits, the output of the ls command is sufficient to see that the mask bits must have changed accordingly, write permission is again limited to the owner of myfolder1.

The output of the getfacl confirms this. This output includes a comment for all those entries in which the effective permission bits do not correspond to the original permissions, because they are filtered according to the mask entry. The original permissions can be restored at any time with chmod g+w myfolder1.

That's all about Setting up Access Control Lists (ACL) on Linux.

Post a Comment

0 Comments