Announcement

Collapse
No announcement yet.

ACL in Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL in Linux

    Linux ACL

    Standard file/directories security permissions are set in order to control the access to the file/directory based on the file owner 'user', group owner 'group' and the rest of the users 'others'. Specific file/directory rights for an user/group in particular can be provided by the file owner using ACL (Access Control List).
    ACL Configuration

    These are the steps that must be followed in order to create ACL permissions on a file/directory. As an example lets configure read-write permission to user 'kate' on /home/john/file.txt file without changing the standard permissions on /home/john/file.txt :

    1.- Verify that user kate can not write on /home/john/file.txt :
    Code:
    $ su - john
    john-$ chmod 700 /home/john/file.txt
    Makes sure that only 'john' can access to file.txt
    john-$ cat /home/john/file.txt
    john
    
    
    $ su - kate
    kate-$ cat /home/john/file.txt
    cat: /home/john/file.txt: Permission denied
    2.- As root, remount the partition that contains /home/john with 'acl' flag :
    Code:
    $ su - root
    Change line in /etc/fstab -> '/dev/VolGroup01/VolGroup01Home          /home                  ext4          defaults,acl          1 2'
    $ mount -o remount /home
    3.- Set 'others' execution permission on the directory where ACLs are going to be applied : /home/john :

    Code:
    $ chmod 701 /home/john
    4.- Check the ACL default permission on file /home/john/file.txt :

    Code:
    $ getfacl /home/john/file.txt
    
    getfacl: Removing leading '/' from absolute path names
    # file: home/john/file.txt
    # owner: john
    # group: john
    user::rwx
    group::---
    other::---
    Only user john has rw access to file.txt

    4.- Allow via ACLs execution permissions to specific user (kate) on the directory that contains the file (/home/john). It allows access to kate on /home/john :

    Code:
    $ setfacl -m user:kate:r-x /home/john
    $ setfacl -m mask:r-x /home/john
    5.- Allow rw access to specific user (kate) via ACL to the file (/home/john/file.txt) :

    Code:
    $ setfacl -m user:kate:rw- /home/john/file.txt
    6.- Verify the result :

    Code:
    $ getfacl /home/john/file.txt
    getfacl: Removing leading '/' from absolute path names
    # file: home/john/file.txt
    # owner: john
    # group: john
    user::rwx user:kate:rw-
    group::---
    mask::rw-
    other::---
    User kate has read-write access to file.txt. Note the use of a 'mask' in order to restrict the ACLs that can be applied on file/directory, it can be changed with 'setfacl -m mask' command.

    Code:
    $ su - kate
    kate-$ vi /home/john/file.txt
    add --> kate
    :wq!
    
    kate-$ cat /home/john/file.txt
    john kate
    For more info about what can be done with ACLs use 'man getfact' and 'man setfacl'
    Last edited by kuldeep; 02-22-2015, 12:03 AM.
Working...
X