Access Control with ACL2016/04/21 |
This is the example to configure ACL (Access Control Lists).
|
|
[1] | Install ACL tools. |
root@dlp:~# apt-get -y install acl
|
[2] | To use ACL, it's necessary to use filesystems which can use ACL function like ext2/ext3/ext4 or xfs and also necessary to enable ACL option on those filesystems. For Ubuntu, ACL option is already eanbled by default mount option on devices which are set on initial OS installation. |
# show default mount option root@dlp:~# tune2fs -l /dev/ubuntu-vg/root | grep "Default mount options" Default mount options: user_xattr acl # acl option is already added
|
[3] | For the case of devices which is added after OS installation like adding HDD and others, it's necessary to enable ACL option manually. One way is to mount a device with acl option, or for another way is to add ACL option in default mount option. |
# mount with acl option to enable ACL root@dlp:~# mount -o acl /dev/sdb1 /mnt root@dlp:~# mount | grep sdb1 /dev/sdb1 on /mnt type ext4 (rw,acl) # or add ACL option to default mount option root@dlp:~# tune2fs -o acl /dev/sdb1 root@dlp:~# tune2fs -l /dev/sdb1 | grep "Default mount options" Default mount options: acl |
[4] | For how to set ACL, for example, set ACL to the file "/home/test.txt". |
# after setting ACL, "+" is added on attribute root@dlp:~# ll /home/test.txt -rwxr-----+ 1 root root 10 Apr 22 16:43 /home/test.txt* # confirm settings root@dlp:~# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx user:ubuntu:r-- group::--- mask::r-- other::--- # try to access with another user debian@dlp:~$ cat /home/test.txt cat: /home/test.txt: Permission denied # cannot read normally
|
[5] | Set ACL to a directory recursively. |
# set r(read) for "ubuntu" to "/home/testdir" recursively root@dlp:~# setfacl -R -m u:ubuntu:r /home/testdir
ll -laR /home/testdir /home/testdir: total 12 drwxr-----+ 2 root root 4096 Jan 20 11:33 ./ drwxr-xr-x 5 root root 4096 Jan 20 11:32 ../ -rwxr-----+ 1 root root 10 Jan 20 11:33 test.txt*root@dlp:~# getfacl -R /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:ubuntu:r-- group::--- mask::r-- other::--- # file: home/testdir/test.txt # owner: root # group: root user::rwx user:ubuntu:r-- group::r-- mask::r-- other::--- |
[6] | Set ACL by group. |
# set rw(read/write) for "security" group to "/home/test.txt" root@dlp:~# setfacl -m g:security:rw /home/test.txt root@dlp:~# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rw- group::r-- group:security:rw- mask::rw- other::r-- # try to access with "ubuntu" user who in "security" group ubuntu@dlp:~$ echo "test write" >> /home/test.txt ubuntu@dlp:~$ cat /home/test.txt ACL test file test write # write normally # try to access with a user who in not in "security" group debian@dlp:~$ echo "test write" >> /home/test.txt -bash: /home/test.txt: Permission denied # cannot write normally
|
[7] | Remove ACL. |
# remove ACL only for "fedora" user on "/home/test.txt" root@dlp:~# setfacl -x u:ubuntu /home/test.txt
|
[8] | Set default ACL to a directory. If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change attribute with "chmod", then ACL would be invalid. |
root@dlp:~#
root@dlp:~# setfacl -m u:ubuntu:r-x /home/testdir # set default ACL "r-x(read/execute)" for "ubuntu" to "/home/testdir" directory root@dlp:~# setfacl -d -m u:ubuntu:r-x /home/testdir root@dlp:~# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- default:user::rwx default:user:ubuntu:r-x default:group::--- default:mask::r-x default:other::--- echo "ACL default setting" > /home/testdir/test.txt root@dlp:~# ll /home/testdir/test.txt -rw-r-----+ 1 root root 20 Jan 31 22:32 /home/testdir/test.txt # try to access with "ubuntu" ubuntu@dlp:~$ cat /home/testdir/test.txt ACL default setting # it can read normally
|
[9] | Remove default ACL. |
root@dlp:~# setfacl -k /home/testdir root@dlp:~# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- |
[10] | Set ACL from a configration file. |
# create a configuration file for ACL # if there are ACLs you'd like to set on other system, there is a way to export with "getfacl" command
root@dlp:~#
vi acl.txt
# file: /home/testdir
# owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::---
# file: /home/test.txt
# owner: root # group: root user::rwx user:ubuntu:r-- group::--- mask::r-- other::--- setfacl --restore=acl.txt root@dlp:~# ll /home total 16 drwx------. 2 ubuntu ubuntu 4096 Jan 31 12:14 ubuntu drwx------ 2 fedora fedora 4096 Jan 31 12:14 fedora drwxr-x---+ 2 root root 4096 Jan 31 22:32 testdir -rwxr-----+ 1 root root 25 Jan 31 21:56 test.txt |
Sponsored Link |
|