what is Linux Access Control Lists (ACLs)
This article covers the creation and management of Access Control Lists (ACLs) on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.
Remember, the exams are hands-on, so it doesn't matter which method you use to achieve the result, so long as the end product is correct.
The basic file permissions allow control over read, write and execute for the file owner, the owning group and all other users. In many cases this is all you need, but sometimes you need to customize permissions for multiple users and groups, which can not be done using the basic permissions system. In these cases, ACLs provide an extra level of control and flexibility.
Enable ACLs for a Volume
Check to see if ACLs are currently enabled on the volume. The presence of the "(rw)" string without "acl" in it suggests they are not.
# mount -l -t ext4 /dev/mapper/vg_rhce1-lv_root on / type ext4 (rw) /dev/vda1 on /boot type ext4 (rw) #
Edit the "/etc/fstab" file, adding "acl" to the options for the root file system. The following text shows the initial setting and the altered line.
# Before /dev/mapper/vg_rhce1-lv_root / ext4 defaults 1 1 # After /dev/mapper/vg_rhce1-lv_root / ext4 defaults,acl 1 1
Remount the file system for the change to take effect. The "(rw,acl)" text shows the volume now supports ACLs.
# mount -o remount / # mount -l -t ext4 /dev/mapper/vg_rhce1-lv_root on / type ext4 (rw,acl) /dev/vda1 on /boot type ext4 (rw) #
User ACLs
The
getfacl
command lists the current permissions for a specified file or directory. The example below shows the basic permissions on a new file.# cd /root # touch test.txt # getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- other::r-- #
The "
setfacl -m
" command is used to control the permissions on files and directories. User level permissions are set using the "u:username:permisisons" format. The following example sets the "rwx" permissions on the file for the user "oracle". Notice the new user entry in the permissions list.# setfacl -m u:oracle:rwx test.txt # getfacl test.txt # file: test.txt # owner: root # group: root user::rw- user:oracle:rwx group::r-- mask::rwx other::r-- #
The specific user entry is removed using the "-x" option. Notice the user entry has now been removed.
# setfacl -x u:oracle test.txt # getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- mask::rwx other::r-- #
Group ACLs
Group permissions are also set using the "
setfacl -m
" command, but this time we use the "g:groupname:permisisons" format. In the following example we give the "apache" group "rx" permissions on the file. Notice the new group entry in the permissions list.# setfacl -m g:apache:rx test.txt # getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- group:apache:r-x mask::rwx other::r-- #
The permission is removed using the "-x" option.
# setfacl -x g:apache test.txt # getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- mask::rwx other::r-- #
Miscellaneous
Like most Linux command,
setfacl
comes with a wide variety of flags to alter its behaviour. You should take a look at the man
pages to familiarise yourself with them. Further usage examples are given at the bottom of the man
page.
Comments
Post a Comment