Using ACLs (Access Control Lists) with Linux filesystem

This article was written specifically for Red Hat and CentOS but concept will be the same for other Linux distributions.

In this article we will go over ACLs for Linux and how they can be used to control access to files and directory’s on Linux file system. ACLs start with ownership and permissions. ACL on Linux file system provides additional much more flexible mechanize to manage permissions.

 

To use ACL we will need to configure file system with ACL option. With NFS version 4, these ACLs can be shared over a network.
Requirements

1. Kernel 2.4 or 2.6

2. ACL Utilities
Check to make sure acl package already installed

[root@rh3 ~]# rpm -q acl

acl-2.2.49-6.el6.x86_64

If not insyall it with

[root@rh3 ~]# yum install acl

3. Before a file or directory can be configured with ACLs, you need to mount the associated file system with the same attribute. If you’re just testing a system for ACL, you can remount an existing partition appropriately. For example, if /home is mounted on /dev/sda3, we can remount it with ACL using the following command:

[root@rh3 ~]#mount -o remount -o acl /dev/sda3 /home

To confirm that the /home directory is mounted with the acl option, run the mount command . You will notice acl in the output.

[root@rh3 ~]#/dev/sda3 on /home type ext4 (rw,acl)

 

Working with ACLs

All files should already be configured with ACLs. the following command displays the current ACLs for the test1 file

 

[root@rh3 ~]# getfacl test1

# file: test1

# owner: root

# group: root

user::rw-

group::r--

other::r--

 

 

If we run the following ls -l command we will see that all the elements of ACLs shown in the output.

[root@rh3 ~]# ls -l test1

-rw-r--r--. 1 root root 0 Oct 29 15:41 test1

 

With all requirements in place we can manage ACLs on a system.

In this example we will create user user1 and give this user read write execute permissions to file test1 located in home directory.

1. Add user , skip this step if user already exists in the system.

[root@rh3 ~]# useradd user1

2. Set permittions for this user using setfacl

[root@rh3 ~]# setfacl -m u:user1:rwx /home/test1

3. View permissions on the file.

[root@rh3 ~]# getfacl test1

Below is what you should see on the screen.

# file: test1

# owner: root

# group: root

user::rw-

user:user1:rwx

group::r--

mask::rwx

other::r--

 

In case when you want to add permission for the groups you would follow the following procedure.

Create test grpup called testgrp for example

root@rh3 ~]# groupadd testgrp

The following command would give read privileges to users who are members of that group to test1 file in home directory.

[root@rh3 ~]# setfacl -m g:testgrp:r-- /home/test1

and to test it run gefacl command

[root@rh3 ~]# getfacl test1

# file: test1

# owner: root

# group: root

user::rw-

user:user1:rwx

group::r--

group:testgrp:r--

mask::rwx

other::r--

 

ACLs can also be used to limit permissions to specific users. In this example we restrict testuser from accessing /etc/passwrd file.

# setfacl -m u:testuser:--- /etc/passwd

 

[label type=”label” style=”default” title=”ACL switches that you may find useful.”]

-b (–remove-all) Removes all ACL entries; retains standard ugo/rwx permissions

-k Deletes default ACL entries

-m Modifies the ACL of a file, normally with a specific user (u) or group

(g)

-n (–mask) Omits the mask in recalculating permissions

-R Applies changes recursively

-x Removes a specific ACL entry