Three methods to restrict user access in Linux

This article mainly introduces three methods to restrict user access permissions in Linux, and focuses on the use of LinuxACL. For more information, see

You need to restrict a user's access to a specific directory or file, or restrict the access scope of a user to a specific directory or file. In reality, we can still meet this requirement. for example, there are multiple login users in ubuntu. by default, User A's working directory (usually/home/) it is readable for any other user, but user A may not want other users (or A specific user) to read A's files.

Three solutions are proposed here.

First:Use chmod to change the permissions of a specific directory. This can restrict access to a specific directory by some people, and limit the purpose of a user, but it will hurt other users by mistake.
Second: Use linux containers, such as lxc. It is a little time-consuming.
Third:Use the setfacl command to set access control.

Among them, the third solution is the most compliant. This article focuses on the specific implementation of this solution and tests it on my own. My system is Linux Mint 15 64-bit. the root directory/uses the ext4 file system and/home uses the btrfs file system.

Install acl

Copy codeThe code is as follows: sudo apt-get install acl
I have some materials to say that I want to restart the system, but during the test, I found that this was already installed before (I don't know if it was a built-in Mint or I installed it randomly), and it still works without restarting.

Use setfacl

Run the following command as root:

Copy codeThe code is as follows: # mkdir/home/test
# Touch/home/test/foo.txt
# Vim/home/test/foo.txt
# Ls-ld/home/test/
Drwxr-xr-x 1 root 14 Jan 16/home/test/
# Ls-ld/home/test/foo.txt
-Rw-r -- 1 root 6 Jan 16/home/test/foo.txt
The above Command creates a directory testunder the/homedirectory, creates a file foo.txt under the Directory test, and adds some content to foo.txt. Then, you can read foo.txt with the ordinary letian's ID foo.txt.

Now, run setfacl as root so that the/home/test directory and its files and directories cannot be accessed by letian.

Copy codeThe code is as follows: # setfacl-R-m u: letian:-/home/test/
-R indicates recursion,-m indicates modification, and u: letian:-indicates that the user letian has no permissions on/home/test. You can add r, w, x and their combinations as needed. Let's take a look at the detailed information of the test Directory:

Copy codeThe code is as follows: # ls-ld/home/test/
Drwxr-xr-x + 1 root 14 Jan 16 09:46/home/test/
The file permission is followed by a plus sign (+), which indicates that the ACL is set for the file or directory. The permission information of foo.txt will also be followed by a + number. Then, access the directory as letian:

Copy codeThe code is as follows:
$ Ls/home/test
Ls: cannot open directory/home/test: Permission denied

Use getfacl

Getfacl is used to view the acl set for a directory/file.

Copy codeThe code is as follows: $ getfacl/home/test
# File:/home/test
# Owner: root
# Group: root
User: rwx
User: letian :---
Group: r-x
Mask: r-x
Other: r-x
Delete the configured acl

Copy codeThe code is as follows:
# Setfacl-B/home/test/
# Getfacl/home/test
# File:/home/test
# Owner: root
# Group: root
User: rwx
Group: r-x
Other: r-x