ACL : Access Control List2022/08/30 |
|
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL. |
|
| [1] | Install ACL tools. |
|
root@dlp:~# apt -y install acl
|
| [2] | To use ACL, it needs to set acl option to filesystems which can use ACL feature like ext2/ext3/ext4 or xfs and also needs to enable ACL option on those filesystems. For Ubuntu with default [ext4], ACL option is already eanbled by default mount option on devices. |
|
root@dlp:~# df -hT / Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/ubuntu--vg-ubuntu--lv ext4 77G 8.2G 65G 12% / # show default mount option root@dlp:~# tune2fs -l /dev/ubuntu-vg/ubuntu-lv | grep "Default mount options"
Default mount options: user_xattr acl # acl option is enabled
|
| [3] | If you manually set ACL option to filesystems, set like follows. |
|
# mount with acl option to enable ACL root@dlp:~# mount -o acl /dev/sdb1 /mnt root@dlp:~# mount | grep sdb1 /dev/sdb1 on /mnt type ext4 (rw,acl) # otherwise, add ACL option to default mount option root@dlp:~# tune2fs -o acl /dev/sdb1 root@dlp:~# tune2fs -l /dev/sdb1 | grep "Default mount options" Default mount options: acl |
| [4] | Set ACL. For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL. |
|
root@dlp:~# ll /home/test.txt -rwx------ 1 root root 10 Aug 29 20:08 /home/test.txt # after setting ACL, [+] is added on attribute root@dlp:~# ll /home/test.txt -rwxr-----+ 1 root root 10 Aug 29 20:08 /home/test.txt # confirm settings root@dlp:~# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx user:ubuntu:r-- group::--- mask::r-- other::--- # verify accesses with another user jammy@dlp:~$ cat /home/test.txt cat: /home/test.txt: Permission denied # denied normally
|
| [5] | Set ACL to a directory recursively. |
|
# set r-x(read/execute) for [ubuntu] to [/home/testdir] recursively root@dlp:~# setfacl -R -m u:ubuntu:rx /home/testdir
ll -laR /home/testdir /home/testdir: total 12 drwxr-x---+ 2 root root 4096 Aug 29 20:21 . drwxr-xr-x 5 root root 4096 Aug 29 20:21 .. -rwxr-x---+ 1 root root 9 Aug 29 20:21 testfile.txtroot@dlp:~# getfacl -R /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- # file: home/testdir/testfile.txt # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- # verify with [ubuntu] ubuntu@dlp:~$ cat /home/testdir/testfile.txt ACL testfile |
| [6] | Set ACL by group. |
|
# set rw(read/write) for [security] group to [/home/test.txt] root@dlp:~# setfacl -m g:security:rw /home/test.txt root@dlp:~# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rw- group::--- group:security:rw- mask::rw- other::--- # verify with [ubuntu] user who is in [security] group ubuntu@dlp:~$ echo "test write" >> /home/test.txt ubuntu@dlp:~$ cat /home/test.txt ACL test file test write # verify with another user who is not in [security] group jammy@dlp:~$ echo "test write" >> /home/test.txt -bash: /home/test.txt: Permission denied |
| [7] | Remove ACL. |
|
# remove ACL only for [ubuntu] user on [/home/testfile.txt] root@dlp:~# setfacl -x u:ubuntu /home/test.txt
|
| [8] | Set default ACL to a directory. If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid. |
|
root@dlp:~#
setfacl -m u:ubuntu:r-x /home/testdir # set default ACL [r-x(read/execute)] for [ubuntu] to [/home/testdir] directory root@dlp:~# setfacl -d -m u:ubuntu:r-x /home/testdir root@dlp:~# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- default:user::rwx default:user:ubuntu:r-x default:group::--- default:mask::r-x default:other::---root@dlp:~# umask 077; echo "ACL default setting" > /home/testdir/test.txt root@dlp:~# ll /home/testdir/test.txt -rw-r-----+ 1 root root 20 Aug 29 20:35 /home/testdir/test.txt # verify with [ubuntu] ubuntu@dlp:~$ cat /home/testdir/test.txt ACL default setting |
| [9] | Remove default ACL. |
|
root@dlp:~# setfacl -k /home/testdir root@dlp:~# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- |
| [10] | Set ACL from a configuration file. |
|
# create a configuration file for ACL # if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command
root@dlp:~#
vi acl.txt # file: /home/testdir # owner: root # group: root user::rwx user:ubuntu:r-x group::--- mask::r-x other::--- # file: /home/test.txt # owner: root # group: root user::rwx user:ubuntu:r-- group::--- mask::r-- other::--- setfacl --restore=acl.txt root@dlp:~# ll /home total 16 drwxr-xr-x 2 jammy jammy 4096 Aug 29 20:19 jammy drwxr-xr-x 2 ubuntu ubuntu 4096 Aug 16 15:32 ubuntu drwxr-x---+ 2 root root 4096 Aug 29 20:35 testdir -rwxr-----+ 1 root root 21 Aug 29 20:30 test.txt |
| Sponsored Link |
|
|