Access
Control List using setfacl/getfacl in Linux
The basic Linux permission model
lets you specify permissions for the file's owner and group, and all others.
This article assumes that you are familiar with the basic permissions, and know
how to set them. The Access Control List (ACL) feature extends the model to
allow much finer control: you can specify permissions for each individual user
and group defined in your system.
Consider this scenario: your server supports multiple office departments: Sales, Marketing, and Helpdesk. Each department has a manager, and one or more staff members.
You define a group for each department that comprises of its manager and staff members: sales-g, marketing-g, and helpdesk-g. Then, you also define a managers only group: managers-g.
It is normal that some departments need to share files among each other, but not with all departments. For instance, Sales needs to share a file with Marketing, but not with HelpDesk. To set that up using only the basic permissions, you can define yet more groups: sales-marketing-g, sales-marketing-managers-g, etc.
Alternatively, you can use ACL to assign permissions to individual group and user.
Before you can use ACL, you must explicitly turn it on for the partitions you want to have the ACL feature available.
As root, edit /etc/fstab. Find the partition that you want ACL enabled, and add the mount option acl.
Consider this scenario: your server supports multiple office departments: Sales, Marketing, and Helpdesk. Each department has a manager, and one or more staff members.
You define a group for each department that comprises of its manager and staff members: sales-g, marketing-g, and helpdesk-g. Then, you also define a managers only group: managers-g.
It is normal that some departments need to share files among each other, but not with all departments. For instance, Sales needs to share a file with Marketing, but not with HelpDesk. To set that up using only the basic permissions, you can define yet more groups: sales-marketing-g, sales-marketing-managers-g, etc.
Alternatively, you can use ACL to assign permissions to individual group and user.
Before you can use ACL, you must explicitly turn it on for the partitions you want to have the ACL feature available.
As root, edit /etc/fstab. Find the partition that you want ACL enabled, and add the mount option acl.
/dev/mapper/allabtlinux-home
/home ext3 defaults,acl 0 2
Next, assuming that your partition is already mounted, then either reboot the system, or better yet, remount dynamically:
mount
-o remount,acl /home
Next, you need to make sure that you have 2 ACL utilities installed: getfacl, and setfacl.
On a Debian/Ubuntu system, install the utilities like this:
$
apt-get install acl
Now, you are ready to take ACL using getfacl and setfacl command.
Let's start simple: you have a file /home/linuxacldemo/demofile.txt that you want to share between sales-g, marketing-g, and an user named aarav.
$
cd /home/linuxacldemo
$
ls -l
total 64
-rw-r--r-- 1 linuxacldemo linuxacldemo 80000 2013-12-28 10:55 demofile.txt
total 64
-rw-r--r-- 1 linuxacldemo linuxacldemo 80000 2013-12-28 10:55 demofile.txt
Use setfacl -m to set Access Control List for the file.
$
setfacl -m group:sales-g:rw- demofile.txt
The group:sales-g:rw- parameter specifies Read and Write permissions (rw) for the group: sales-g.
To enable the Read/Write permissions for the Marketing department, and aarav the user:
$
setfacl -m group:marketing-g:rw-,user:aarav:rw- demofile.txt
$ ls -l
total 68
-rw-rw-r--+ 1 linuxacldemo linuxacldemo 8000 2013-12-28 10:55 demofile.txt
$ ls -l
total 68
-rw-rw-r--+ 1 linuxacldemo linuxacldemo 8000 2013-12-28 10:55 demofile.txt
Note that ls -l does not display the actual ACL of a file. It only tells you that ACL is defined for that file: a plus character (+) is displayed to the right of the permissions.
To examine the actual ACL, run getfacl.
$
getfacl demofile.txt
# file: demofile.txt
# owner: linuxacldemo
# group: linuxacldemo
user::rw-
user:aarav:rw-
group::r--
group:sales-g:rw-
group:marketing-g:rw-
mask::rw-
other::r--
# file: demofile.txt
# owner: linuxacldemo
# group: linuxacldemo
user::rw-
user:aarav:rw-
group::r--
group:sales-g:rw-
group:marketing-g:rw-
mask::rw-
other::r--
Often, you want to share files among certain groups and specific users. It is a good practice to designate a directory for that purpose. You want to allow those groups and users to read, and write files in that directory, as well as create new files into the directory.
Let's first create the directory named testacldirectory.
$
mkdir testacldirectory
$ ls -ld testacldirectory/
drwxr-xr-x 2 linuxacldemo linuxacldemo 4096 2013-12-28 14:33 testacldirectory/
$ ls -ld testacldirectory/
drwxr-xr-x 2 linuxacldemo linuxacldemo 4096 2013-12-28 14:33 testacldirectory/
We want to share the directory among the marketing-g and sales-g groups and the user named aarav. Sales, marketing and aarav need to have full access to the directory including the creation of new files in that directory.
$
setfacl -m user:aarav:rwx,group:sales-g:rwx,group:marketing-g:rwx testacldirectory
$ getfacl testacldirectory/
# file: testacldirectory
# owner: linuxacldemo
# group: linuxacldemo
user::rwx
user:aarav:rwx
group::r-x
group:sales-g:rwx
group:marketing-g:rwx
mask::rwx
other::r-x
$ getfacl testacldirectory/
# file: testacldirectory
# owner: linuxacldemo
# group: linuxacldemo
user::rwx
user:aarav:rwx
group::r-x
group:sales-g:rwx
group:marketing-g:rwx
mask::rwx
other::r-x
OK, aarav, go ahead to create a file in testacldirectory.
$
su - aarav
...
$ cd /home/linuxacldemo/testacldirectory
...
$ cd /home/linuxacldemo/testacldirectory
$
touch demofile.txt
$ ls -l demofile.txt
-rw-r--r-- 1 aarav aarav 0 2013-12-28 15:06 demofile.txt
$ getfacl demofile.txt
# file: demofile.txt
# owner: aarav
# group: aarav
user::rw-
group::r--
other::r--
$ ls -l demofile.txt
-rw-r--r-- 1 aarav aarav 0 2013-12-28 15:06 demofile.txt
$ getfacl demofile.txt
# file: demofile.txt
# owner: aarav
# group: aarav
user::rw-
group::r--
other::r--
Now, sales and marketing, and aarav can create or copy new files into testacldirectory.
There is a slight problem: only the creator of a file can edit it. Alas only aarav can modify the above targets file.
Yes, we can manually adjust the ACL of a file after its creation by running setfacl -m on the file. A much better way is to configure the testacldirectory directory such that by default all files created under it will automatically have the proper ACL.
$
setfacl -m d:user:aarav:rwx,d:group:sales-g:rwx,d:group:marketing-g:rwx testacldirectory
Note that the d in d:user:aarav:rwx means default. That is, all files created in testacldirectory will have by default read/write/execute permission for the user named aarav.
$
getfacl testacldirectory/
# file: testacldirectory
# owner: linuxacldemo
# group: linuxacldemo
user::rwx
user:aarav:rwx
group::r-x
group:sales-g:rwx
group:marketing-g:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:aarav:rwx
default:group::r-x
default:group:sales-g:rwx
default:group:marketing-g:rwx
default:mask::rwx
default:other::r-x
# file: testacldirectory
# owner: linuxacldemo
# group: linuxacldemo
user::rwx
user:aarav:rwx
group::r-x
group:sales-g:rwx
group:marketing-g:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:aarav:rwx
default:group::r-x
default:group:sales-g:rwx
default:group:marketing-g:rwx
default:mask::rwx
default:other::r-x
Now, sales, marketing, and aarav can edit mutual files.
Don't believe me, aarav? See for yourself.
$
su - aarav
$ cd /home/linuxacldemo/testacldirectory
$ touch figures.txt
$ ls -l figures.txt
-rw-rw-r--+ 1 aarav aarav 0 2013-12-28 17:32 figures.txt
$ getfacl figures.txt
# file: figures.txt
# owner: aarav
# group: aarav
user::rw-
user:aarav:rwx #effective:rw-
group::r-x #effective:r--
group:sales-g:rwx #effective:rw-
group:marketing-g:rwx #effective:rw-
mask::rw-
other::r--
$ cd /home/linuxacldemo/testacldirectory
$ touch figures.txt
$ ls -l figures.txt
-rw-rw-r--+ 1 aarav aarav 0 2013-12-28 17:32 figures.txt
$ getfacl figures.txt
# file: figures.txt
# owner: aarav
# group: aarav
user::rw-
user:aarav:rwx #effective:rw-
group::r-x #effective:r--
group:sales-g:rwx #effective:rw-
group:marketing-g:rwx #effective:rw-
mask::rw-
other::r--
The ACL for the newly created figures.txt file is configured with the default entries from its parent directory.
To summarize, if you want to share a directory (say some_dir) between some_user and some_group such that both will have full access to the directory, including creating new files and modifying each others' files, run these commands:
$
setfacl -m
user:some_user:rwx,group:some_group:rwx some_dir
$ setfacl -m d:user:some_user:rwx,d:group:some_group:rwx some_dir
$ setfacl -m d:user:some_user:rwx,d:group:some_group:rwx some_dir
To remove the ACL from a file or directory, use setfacl -b like this:
$
setfacl -b /home/linuxacldemo/testacldirectory
Note that this removes all but the very basic user/group/others ACL entries. If all you want is to delete the default ACL for the directory, execute this instead:
$
setfacl -k /home/linuxacldemo/testacldirectory
you can fine more redhat/centos reference on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html
you can fine more redhat/centos reference on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html
No comments :
Post a Comment