Network security Series 39 Configuring Access Control List ACLs in Linux

The traditional method of privilege setting in Linux system is simple, there are only 3 kinds of identities and 3 kinds of permissions, and the permissions or owners of the files can be set by cooperating with Chmod and Chown. If you want to make more complex permission settings, such as when a directory is open for use by a particular user, these traditional methods will not meet the requirements.

For example, for the/home/project directory, the owner of the directory is a student user, the owning group is the Users group, and the default permission is 770. Now there is a user named Natasha, belonging to the Natasha Group, want to be able to have read and write permissions to the/home/project directory, and a user named instructor, belonging to the instructor group, want to be able to/home/ The project directory has read and execute permissions.

It is clear that this requirement cannot be fulfilled by using the chmod or Chown command. Thus, the Linux system provides an ACL (Access Control List) specifically designed to accomplish this detail permission setting.

1. Set ACL

The set ACL is using the SETFACL command, which has the following format:

setfacl [ options ] Set Value file name

Common options:

• -M, set an ACL rule.

• -X, cancels an ACL rule.

• -B, cancels all ACL rules.

Example: Setting Natasha has rwx permissions on the/home/project directory.

[Email protected] ~]# setfacl-m u:natasha:rwx/home/project/ [Email protected] ~]# ll-d/home/project/ drwxrwxrwx+ 2 Student users 4096 December 2 16:43/home/project/

After you set up the ACL, when you view the file details, an additional "+" is identified in the Permissions section, and ACL permissions are enabled on behalf of the file.

The following again sets the instructor user to have R-x permissions on the/home/project directory.

[Email protected] ~]# setfacl-m u:instructor:r-x/home/project/

2. Management ACL

You can view ACL permissions by using the Getfacl command.

[Email protected] ~]# getfacl/home/project/ Getfacl:removing leading '/' from absolute path names # file:home/project/ # owner:student # group:users User::rwx User:instructor:r-x User:natasha:rwx Group::rwx Mask::rwx Other::rwx

The ACL can be modified with the "setfacl–m" command.

Example: Modify the permissions of the instructor user to rwx.

[Email protected] ~]# setfacl-m u:instructor:rwx/home/project/

You can remove a user from an ACL by using the "setfacl-x" command.

Example: Remove the instructor user from the ACL.

[Email protected] ~]# setfacl-x u:instructor/home/project/

3. Start ACL Support

ACLs can be set for users or for groups of users. To use ACLs, you must have file system support, and the standard EXT2/EXT3/EXT4 file system in Linux supports ACL functionality. Note, however, that the default file system in RHEL6 supports ACLs, and if it is a newly mounted partition, the ACL app is not supported, and ACL support can be initiated using the "-O ACL" option when mounting the file system.

Example: Mount the/DEV/SDB1 partition to the/home directory and start ACL support. After the file system is mounted, verify that the ACL is started by using the Mount command.

[Email protected] ~]# mount-o acl/dev/sdb1/home [Email protected] ~]# Mount | grep home /DEV/SDB1 on/home type EXT4 (RW,ACL)

If you want the ACL feature to be applied automatically when the system starts, you need to modify the/etc/fstab file to add the following line:

[Email protected] ~]# vim/etc/fstab /dev/sdb1/home ext4 Defaults,acl 0 0

4. Configuration ACL issues to be aware of when

ACLs are used to provide additional permissions, which are primarily used to fine-tune permissions. In the system to set permissions, the main or should rely on chmod, chown these traditional methods, and can not be the main ACL, otherwise maintenance will be difficult.

Therefore, when setting permissions in a production environment, it is recommended that you set overall permissions with Chmod, Chown, and then use ACLs to set detail permissions as needed.

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security Series 39 Configuring Access Control List ACLs in Linux