For Linux, any distro, the file system used on your storage device has its own permissions. Usually, these are set for the Owner, Group and Others. The three types of permissions you can use: read (r), write (w) and execute (x).
With Access Control Lists (ACLs), we can add more than just the Owner, Group and Others (a basic, everyone else). We can add specific users or groups as needed.
ACLs Support
The kernel or the file system can manage the Access Control Lists. So, we need to see what our system supports.
To test the kernel, we can check this by the following command:
The output, shown in Figure 1, is the same in both CentOS and Ubuntu. Any line with an '=y' is part of the kernel and supported. Items with an '=m' are modules that can be loaded or unloaded as needed. You can see that ACL is supported for EXT4, XFS, BTRFS and NFS. We know the kernel will support ACLs if the file system does not.
FIGURE 1
To check the file system, we need to use one partition we created and format it as EXT4, XFS or NTFS. If you have been going along with the LFCS articles, we created three partitions and mounted them as '~/drives/<format>'. So, the one drive is '~/drives/ext4'. This is the drive I will use on both CentOS and Ubuntu.
My partition is empty, so I created a file named 'help.txt':
The command is performed on the current partition, so change to the mounted partition first.
If you list the files, you will see the listing similar to Figure 2. To list the permissions, use the command:
FIGURE 2
For CentOS, you see the period at the end of the permissions list. The period is not present in Ubuntu. The period means the partition supports ACL. Once we set an ACL entry, the period will be a plus sign.
Set ACL Entry
To set an entry, let's create a new user called 'linux' and give it a password. Use the following command to create the account and set its password:
Now we have a user named 'linux' with a password. We can add this user with specific permissions to the file we created.
To look at the current permissions using ACLs, we can use:
Figure 3 shows the output. The command 'getfacl' is 'get file ACL'.
FIGURE 3
You can see the owner and group is 'root'. The user permissions are read and write. The group and other permissions are read. Let's look at adding 'linux' to the list. We'll add only read permission.
You need elevated privileges since 'root' is the owner, unless you are logged in as root.
The '-m' is to modify the ACL. For a user, use 'u:'. The 'r' is read permissions.
You can run the 'getfacl' again on the 'help.txt' file to verify that the 'linux' user was added. The output should be like Figure 4.
FIGURE 4
So now, we can temporarily log in as 'linux' using:
You should be able to 'cat' the 'help.txt' file, but you cannot write to it since you only have 'read' permissions.
For the permissions, we have four choices, or a combination of the first three:
If we wanted to set permissions for a group, we would use 'g:' and other would be 'o:'. We can also set the defaults by preceding these with a 'd:'. For example, to set the default user permissions, the parameter would be 'd:u:' followed by the necessary permissions.
If you change the default permissions on a folder, these are inherited by new folders and files created within the folder.
Once an ACL is created on a file or folder, using the command 'ls -Al' will show a plus sign, as in Figure 5, to designate an ACL is attached to it.
FIGURE 5
Removing an ACL
Sometimes an ACL needs to be removed to put permissions back to the standard. Sometimes, if the ACL needs changed, it may work best to remove what is not needed and start over.
The parameter to remove an ACL entry is '-x' instead of the '-m' to modify it. So, if we want to remove the ACL permissions for the user 'linux' from the file 'help.txt':
Even if this was the only ACL entry we made to the file, it will still show a plus sign. To remove the plus sign, we need to expunge the ACL entry, even if it is empty:
Now, the ACL entry has been completely removed. Even if we did not remove any entries beforehand, the parameter '-b' will remove any entry in the ACL.
Conclusion
If you have issues with some files not having the proper permissions, check the ACL. These permissions do not show up in an 'ls' output.
Practice with these to understand changing the permissions for users and groups and the difference between the default user and group.
With Access Control Lists (ACLs), we can add more than just the Owner, Group and Others (a basic, everyone else). We can add specific users or groups as needed.
ACLs Support
The kernel or the file system can manage the Access Control Lists. So, we need to see what our system supports.
To test the kernel, we can check this by the following command:
Code:
grep ACL /boot/config-$(uname -r)
The output, shown in Figure 1, is the same in both CentOS and Ubuntu. Any line with an '=y' is part of the kernel and supported. Items with an '=m' are modules that can be loaded or unloaded as needed. You can see that ACL is supported for EXT4, XFS, BTRFS and NFS. We know the kernel will support ACLs if the file system does not.
FIGURE 1
To check the file system, we need to use one partition we created and format it as EXT4, XFS or NTFS. If you have been going along with the LFCS articles, we created three partitions and mounted them as '~/drives/<format>'. So, the one drive is '~/drives/ext4'. This is the drive I will use on both CentOS and Ubuntu.
My partition is empty, so I created a file named 'help.txt':
Code:
touch help.txt
The command is performed on the current partition, so change to the mounted partition first.
If you list the files, you will see the listing similar to Figure 2. To list the permissions, use the command:
Code:
ls -Al
FIGURE 2
For CentOS, you see the period at the end of the permissions list. The period is not present in Ubuntu. The period means the partition supports ACL. Once we set an ACL entry, the period will be a plus sign.
Set ACL Entry
To set an entry, let's create a new user called 'linux' and give it a password. Use the following command to create the account and set its password:
Code:
sudo useradd linux
sudo passwd linux
Now we have a user named 'linux' with a password. We can add this user with specific permissions to the file we created.
To look at the current permissions using ACLs, we can use:
Code:
getfacl help.txt
Figure 3 shows the output. The command 'getfacl' is 'get file ACL'.
FIGURE 3
You can see the owner and group is 'root'. The user permissions are read and write. The group and other permissions are read. Let's look at adding 'linux' to the list. We'll add only read permission.
Code:
sudo setfacl -m u:linux:r help.txt
You need elevated privileges since 'root' is the owner, unless you are logged in as root.
The '-m' is to modify the ACL. For a user, use 'u:'. The 'r' is read permissions.
You can run the 'getfacl' again on the 'help.txt' file to verify that the 'linux' user was added. The output should be like Figure 4.
FIGURE 4
So now, we can temporarily log in as 'linux' using:
Code:
su - linux
You should be able to 'cat' the 'help.txt' file, but you cannot write to it since you only have 'read' permissions.
For the permissions, we have four choices, or a combination of the first three:
- r - read
- w - write
- x - execute
- --- - no permissions
If we wanted to set permissions for a group, we would use 'g:' and other would be 'o:'. We can also set the defaults by preceding these with a 'd:'. For example, to set the default user permissions, the parameter would be 'd:u:' followed by the necessary permissions.
If you change the default permissions on a folder, these are inherited by new folders and files created within the folder.
Once an ACL is created on a file or folder, using the command 'ls -Al' will show a plus sign, as in Figure 5, to designate an ACL is attached to it.
FIGURE 5
Removing an ACL
Sometimes an ACL needs to be removed to put permissions back to the standard. Sometimes, if the ACL needs changed, it may work best to remove what is not needed and start over.
The parameter to remove an ACL entry is '-x' instead of the '-m' to modify it. So, if we want to remove the ACL permissions for the user 'linux' from the file 'help.txt':
Code:
sudo setfacl -x u:linux help.txt
Even if this was the only ACL entry we made to the file, it will still show a plus sign. To remove the plus sign, we need to expunge the ACL entry, even if it is empty:
Code:
sudo setfacl -b help.txt
Now, the ACL entry has been completely removed. Even if we did not remove any entries beforehand, the parameter '-b' will remove any entry in the ACL.
Conclusion
If you have issues with some files not having the proper permissions, check the ACL. These permissions do not show up in an 'ls' output.
Practice with these to understand changing the permissions for users and groups and the difference between the default user and group.