Difference between revisions of "A: Access Control List"
m (Chris moved page Access Control List to A: Access Control List) |
|
(No difference)
| |
Latest revision as of 07:57, 10 April 2021
Contents
1 Install
1.1 Software
RedHat bsed System:
[root@helios tmp]# yum install acl
Debian based System:
[root@helios tmp]# apt-get install acl
1.2 File System
[root@helios tmp]# vi /etc/fstab /dev/sdb1 /srv/nfs/data ext4 rw,acl 1 2
[root@helios tmp]# mount -a [root@helios tmp]# mount | grep acl /dev/sdb1 on /srv/nfs/data type ext4 (rw,acl)
2 Understand ACL's
2.1 Read ACL Rules
[root@helios tmp]# touch notes.txt
[root@helios tmp]# ls -l notes.txt
-rw-r--r-- 1 root root 0 Jun 29 06:33 notes.txt
[root@helios tmp]# setfacl -m u:joe:r-- -m u:tom:rw- -m u:mike:r-- notes.txt
[root@helios tmp]# ls -l notes.txt
-rw-rw-r--+ 1 root root 0 Jun 29 06:33 notes.txt
[root@helios tmp]# getfacl notes.txt
# file: notes.txt
# owner: root
# group: root
user::rw-
user:joe:r--
user:tom:rw-
user:mike:r--
group::r--
mask::rw-
other::r--
3 Understand ACL Rules
3.1 Access ACL
3.1.1 Mask
This is the effective rights mask. This entry limits the effective rights granted to all ACL groups and ACL users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence.
[root@helios tmp]# rm -f notes.txt [root@helios tmp]# touch notes.txt [root@helios tmp]# setfacl -m u:tom:rwx notes.txt [root@helios tmp]# su tom -c "echo 12345678 > notes.txt" [root@helios tmp]# getfacl notes.txt # file: notes.txt # owner: root # group: root user::rw- user:tom:rwx group::r-- mask::rwx other::r--
[root@helios tmp]# setfacl -m mask::r-- notes.txt [root@helios tmp]# su tom -c "echo 12345678 > notes.txt" bash: notes.txt: Permission denied [root@helios tmp]# getfacl notes.txt # file: notes.txt # owner: root # group: root user::rw- user:tom:rwx #effective:r-- group::r-- mask::r-- other::r--
Note: Whenever you change the permissions of a user or a group with setfacl, the mask is changed to match. Therefore, if you want a restrictive mask, it must be applied after the user and group permissions are modified.
4 Default ACL
There is also another type of ACL, called the default ACL. The default ACL is only applied to directories, and it defines the permissions that a newly created file or directory inherits from its parent directory.
When you create a new directory inside a directory that already has a default ACL, the new directory inherits the default ACL both as its access ACL and its default ACL.
Here is an example of defining a default ACL for a directory, and what happens when files and directories are created underneath that directory:
[root@helios tmp]# mkdir secret [root@helios tmp]# setfacl -m u:joe:rwx,u:chris:rwx,o::- secret [root@helios tmp]# getfacl secret # file: secret # owner: root # group: root user::rwx user:chris:rwx user:joe:rwx group::r-x mask::rwx other::--- [root@helios tmp]# echo "server1:admin:t0ta1." > secret/passwords-1.txt [root@helios tmp]# getfacl secret/passwords-1.txt # file: secret/passwords-1.txt # owner: root # group: root user::rw- group::r-- other::r--
[root@helios tmp]# setfacl -d -m u:joe:rwx,u:chris:rwx,o::- secret
[root@helios tmp]# getfacl secret
# file: secret
# owner: root
# group: root
user::rwx
user:chris:rwx
user:joe:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:chris:rwx
default:user:joe:rwx
default:group::r-x
default:mask::rwx
default:other::---
[root@helios tmp]# echo "server1:admin:t0ta1." > secret/passwords-2.txt
[root@helios tmp]# getfacl secret/passwords-2.txt
# file: secret/passwords-2.txt
# owner: root
# group: root
user::rw-
user:chris:rwx #effective:rw-
user:joe:rwx #effective:rw-
group::r-x #effective:r--
mask::rw-
other::---
[root@helios tmp]# mkdir secret/test
[root@helios tmp]# getfacl secret/test
# file: secret/test
# owner: root
# group: root
user::rwx
user:chris:rwx
user:joe:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:chris:rwx
default:user:joe:rwx
default:group::r-x
default:mask::rwx
default:other::---
5 Examples
- Remove Specific Entries from an ACL
setfacl -x u:tom,u:joe notes.txt
- Remove Entire ACL
setfacl -b notes.txt
- Replace all existing ACL rules and apply this one
setfacl --set u:tom,u:joe notes.txt
- Using setfacl Recursively
setfacl -PRx u:joe ./ # -P -> don't follow SymLinks !!!
- Backup/Restore ACL Rules
- May break sticky bit and set guid bit
getfacl -R . >acl.txt setfacl --restore acl.txt getfacl -R $(ls -d /* | egrep -v 'dev|proc|selinux|sys|lost+') > /etc/acl.txt
- Copy ACL's from existing file/direcotry
getfacl bingo.txt | setfacl --set-file=- test*
- Backup/Restore data and ACL rules
star -Hexustar -acl -c f=Tree.star Tree star -acl -x f=Tree.star # rdiff-backup also supports ACL
