LFCS - Access Control Lists (ACLs)

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
372
Reaction score
432
Credits
13,798
For Linux, any distro, the file system used on your storage device has its own permissions. Usually, these are set for the Owner, Group and Others. The three types of permissions you can use: read (r), write (w) and execute (x).

With Access Control Lists (ACLs), we can add more than just the Owner, Group and Others (a basic, everyone else). We can add specific users or groups as needed.

ACLs Support

The kernel or the file system can manage the Access Control Lists. So, we need to see what our system supports.

To test the kernel, we can check this by the following command:

Code:
grep ACL /boot/config-$(uname -r)

The output, shown in Figure 1, is the same in both CentOS and Ubuntu. Any line with an '=y' is part of the kernel and supported. Items with an '=m' are modules that can be loaded or unloaded as needed. You can see that ACL is supported for EXT4, XFS, BTRFS and NFS. We know the kernel will support ACLs if the file system does not.

Figure 1.JPG

FIGURE 1

To check the file system, we need to use one partition we created and format it as EXT4, XFS or NTFS. If you have been going along with the LFCS articles, we created three partitions and mounted them as '~/drives/<format>'. So, the one drive is '~/drives/ext4'. This is the drive I will use on both CentOS and Ubuntu.

My partition is empty, so I created a file named 'help.txt':

Code:
touch help.txt

The command is performed on the current partition, so change to the mounted partition first.

If you list the files, you will see the listing similar to Figure 2. To list the permissions, use the command:

Code:
ls -Al

Figure 2.JPG

FIGURE 2

For CentOS, you see the period at the end of the permissions list. The period is not present in Ubuntu. The period means the partition supports ACL. Once we set an ACL entry, the period will be a plus sign.

Set ACL Entry

To set an entry, let's create a new user called 'linux' and give it a password. Use the following command to create the account and set its password:

Code:
sudo useradd linux
sudo passwd linux

Now we have a user named 'linux' with a password. We can add this user with specific permissions to the file we created.

To look at the current permissions using ACLs, we can use:

Code:
getfacl help.txt

Figure 3 shows the output. The command 'getfacl' is 'get file ACL'.

Figure 3.JPG

FIGURE 3

You can see the owner and group is 'root'. The user permissions are read and write. The group and other permissions are read. Let's look at adding 'linux' to the list. We'll add only read permission.

Code:
sudo setfacl -m u:linux:r help.txt

You need elevated privileges since 'root' is the owner, unless you are logged in as root.

The '-m' is to modify the ACL. For a user, use 'u:'. The 'r' is read permissions.

You can run the 'getfacl' again on the 'help.txt' file to verify that the 'linux' user was added. The output should be like Figure 4.

Figure 4.JPG

FIGURE 4

So now, we can temporarily log in as 'linux' using:

Code:
su - linux

You should be able to 'cat' the 'help.txt' file, but you cannot write to it since you only have 'read' permissions.

For the permissions, we have four choices, or a combination of the first three:
  1. r - read
  2. w - write
  3. x - execute
  4. --- - no permissions
So, if we wanted 'linux' to have permissions to write as well, the permissions given would be 'rw' and not just 'r'.

If we wanted to set permissions for a group, we would use 'g:' and other would be 'o:'. We can also set the defaults by preceding these with a 'd:'. For example, to set the default user permissions, the parameter would be 'd:u:' followed by the necessary permissions.

If you change the default permissions on a folder, these are inherited by new folders and files created within the folder.

Once an ACL is created on a file or folder, using the command 'ls -Al' will show a plus sign, as in Figure 5, to designate an ACL is attached to it.

Figure 5.JPG

FIGURE 5

Removing an ACL


Sometimes an ACL needs to be removed to put permissions back to the standard. Sometimes, if the ACL needs changed, it may work best to remove what is not needed and start over.

The parameter to remove an ACL entry is '-x' instead of the '-m' to modify it. So, if we want to remove the ACL permissions for the user 'linux' from the file 'help.txt':

Code:
sudo setfacl -x u:linux help.txt

Even if this was the only ACL entry we made to the file, it will still show a plus sign. To remove the plus sign, we need to expunge the ACL entry, even if it is empty:

Code:
sudo setfacl -b help.txt

Now, the ACL entry has been completely removed. Even if we did not remove any entries beforehand, the parameter '-b' will remove any entry in the ACL.

Conclusion

If you have issues with some files not having the proper permissions, check the ACL. These permissions do not show up in an 'ls' output.

Practice with these to understand changing the permissions for users and groups and the difference between the default user and group.
 


This couldn't have come at more opportune time. Currently studying for the Comptia Linux+ exam, so this is extremely helpful.
 
Tak Jarret for info om brug af terminal herunder root ! og alle coder ---- Når jeg engang drister mig til at ændre noget som helst skal jeg have styr på lidt mere elementert f.eks linux - CentOS og Ubuntu jeg er ikke vidende nok til andet end Ubuntu, jeg prøver at finde ud af hvad er CenyOS
 

Members online


Top