Access Control Lists (ACLs)

Access Control List

ACLs Allow file-grained permissions to be allocated to a files and directories. Often, You want to share files among certain groups and specific users. It is a good practice to designate a directory for that purpose. You want to allow those groups and users to read, write and execute files in that directory, as well as create new files into the directory. Such special permissions can be given using ACL.

In ACL the permission flags apply: “r” – read, “w” – write, “x” – execute on files or directories.

File system mount option

ACL can be applied on ACL enabled partition that means you need to enabled ACL while mounting the partition. But XFS file systems have built-in ACL support. EXT4, EXT3, EXT2  file systems created on Centos7/RHEL7 have the acl option enabled by default, but EXT4, EXT3, EXT2  file systems created in earlier version of Centos or RHEL may need the acl option included with the mount request.

Note: If you are using a earlier version of Centos, RHEL or Fedora you may need add acl option while mounting the disk, using below syntax command.

#mount -o acl <Partition Name> <Mount Point>

In our case acl by default, To make sure that partition is mounted with acl option or not, check using below command.

[root@server1 /]# tune2fs -l /dev/aclvg/acllv | grep acl
Default mount options:    user_xattr acl
[root@server1 /]#

Before starting with ACLs make sure that you have required packages installed.

[root@server1 ~]# yum install acl libacl	[RPM based systems]
[gaurav@client2 ~]$ sudo apt-get install acl [Debian Based systems]

1.) Check how acl will work.

There are two types of ACLs; Default ACLs and Access ACLs. Let’s check the default permission (Default ACLs) and acl permission (Access ACLs) on files or directories. Use the getfacl command.

#getfacl <option> <dir/file name>

Options:

-d           Displays the defaults ACL.
-R           Recurses into subdirectories.

[root@server1 ~]# getfacl  /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

As above shows the default permission of /storage directory. Now let’s assign full permission to the directory and then apply acl on it,so that we can analyze how acl will work.

[root@server1 ~]# chmod 777 /storage/
[root@server1 ~]# ls -ld /storage/
drwxrwxrwx. 3 root root 4096 Sep 28 22:27 /storage/
[root@server1 ~]#

Now we are ready to apply acl, but first lets understand the command and options in details. The syntax to apply acl is;

#setfacl <option> <file/directory name>

Options:

-m   Modifies an ACL.
-x     Removes  an ACL.
-R    Recurses into subdirectories.

The possible arguments are

u:   user
g:   group
o:   others

Now, To assign read and execute permission to a particular user the syntax is;

#setfacl -m u:<username>:<permission> <file or dir name>

#setfacl -m u:anil:rx /storage

[root@server1 ~]# setfacl -m u:anil:rx /storage
[root@server1 ~]# getfacl /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
user:anil:r-x
group::rwx
mask::rwx
other::rwx

[root@server1 ~]#

As shows above, anil user have the permission read and execute the /storage directory.

Now login as “anil” user and try to create a file inside /storage directory, as we have not assigned write permission to “anil” user, though it is having full permission, still it will not allow “anil” to create file inside it.

[root@server1 ~]# su - anil
Last login: Wed Sep 28 22:10:56 EDT 2016 on pts/1
[anil@server1 ~]$ cd /storage/
[anil@server1 storage]$ touch sandetails.txt
touch: cannot touch ‘sandetails.txt’: Permission denied
[anil@server1 storage]$ ls -ld /storage/
drwxrwxrwx+ 3 root root 4096 Sep 28 22:27 /storage/
[anil@server1 storage]$

Observe that when you check for the permission it is showing a “+” sign after normal permission, that indicate that ACL is applied on this directory.

2.) To assign read,write and execute permission to anil user.

# setfacl -m u:anil:rwx /storage

[root@server1 /]# setfacl -m u:anil:rwx /storage
[root@server1 /]# su - anil
Last login: Wed Sep 28 22:56:49 EDT 2016 on pts/0
[anil@server1 ~]$ cd /storage/
[anil@server1 storage]$ touch sandetails.txt
[anil@server1 storage]$ ll
total 24
drwx------. 2 root root 16384 Sep 28 22:27 lost+found
-rw-rw-r--. 1 anil anil     0 Sep 28 23:13 sandetails.txt
[anil@server1 storage]$

After assign the permission of execution “anil” user can create the files.

3.) Assigning read and execute permission for a user and group.

#setfacl -m u:anil:rx,g:Network:rx /storage

[root@server1 /]# getent group | grep Network
Network:x:1005:sam,frank
[root@server1 /]# setfacl -m u:anil:rx,g:Network:rx /storage
[root@server1 /]# getfacl /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
user:anil:r-x
group::rwx
group:Network:r-x
mask::rwx
other::rwx

4.) Removing acl for a particular user and group.

#setfacl -x u:<username> <file name/Directory Name>

[root@server1 /]# setfacl -x u:anil  /storage
[root@server1 /]# getfacl /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
group::rwx
group:Network:r-x
mask::rwx
other::rwx

#setfacl -x g:<group name> <file/Directory Name>

[root@server1 /]# setfacl -x g:Network  /storage
[root@server1 /]# getfacl /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
group::rwx
mask::rwx
other::rwx

You can also use of “-b” option to remove all ACL permission from a file and directory, syntax as follow.

#setfacl -b <file/directory name>

For example, Lets apply back some acl to “storage” directory and remove it using above command.

[root@server1 /]# setfacl -m u:anil:rwx,g:Network:rwx /storage
[root@server1 /]# getfacl /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
user:anil:rwx
group::rwx
group:Network:rwx
mask::rwx
other::rwx

[root@server1 /]# setfacl -b /storage/
[root@server1 /]# getfacl /storage/
getfacl: Removing leading '/' from absolute path names
# file: storage/
# owner: root
# group: root
user::rwx
group::rwx
other::rwx

5.) Assign acl to the file.

ACL can also be applied to a file in exactly similar passion as we did for a directory.

#setfacl -m u:anil:rwx /storage/

[root@server1 /]# setfacl -m u:anil:rwx /storage/file1
setfacl: /storage/file1: No such file or directory
[root@server1 /]# touch /storage/file1
[root@server1 /]# setfacl -m u:anil:rwx /storage/file1
[root@server1 /]# su - anil
Last login: Wed Sep 28 23:13:50 EDT 2016 on pts/0
[anil@server1 ~]$ echo "ACL is assign on file1" > /storage/file1 
[anil@server1 ~]$ cat /storage/file1 
ACL is assign on file1
[anil@server1 ~]$

As you seen that “anil” user can read, write and execute the file1 after assign the acl.!!!

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz