Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux ACL Linux Server

Standard file/directories security permissions are set in order to control the access to the file/directory based on the file owner 'user', group owner 'group' and the rest of the users 'others'. Specific file/directory rights for an user/group in particular can be provided by the file owner using ACL (Access Control List).

ACL Configuration

These are the steps that must be followed in order to create ACL permissions on a file/directory. As an example lets configure read-write permission to user 'kate' on /home/john/file.txt file without changing the standard permissions on /home/john/file.txt :

1.- Verify that user kate can not write on /home/john/file.txt :

$ su - john
john-$ chmod 700 /home/john/file.txt
Makes sure that only 'john' can access to file.txt
john-$ cat /home/john/file.txt
john


$ su - kate
kate-$ cat /home/john/file.txt
cat: /home/john/file.txt: Permission denied


2.- As root, remount the partition that contains /home/john with 'acl' flag :

$ su - root
Change line in /etc/fstab -> '/dev/VolGroup01/VolGroup01Home          /home                  ext4          defaults,acl          1 2'
$ mount -o remount /home


3.- Set 'others' execution permission on the directory where ACLs are going to be applied : /home/john :

$ chmod 701 /home/john

4.- Check the ACL default permission on file /home/john/file.txt :

$ getfacl /home/john/file.txt

getfacl: Removing leading '/' from absolute path names
# file: home/john/file.txt
# owner: john
# group: john
user::rwx
group::---
other::---
Only user john has rw access to file.txt

4.- Allow via ACLs execution permissions to specific user (kate) on the directory that contains the file (/home/john). It allows access to kate on /home/john :

$ setfacl -m user:kate:r-x /home/john
$ setfacl -m mask:r-x /home/john


5.- Allow rw access to specific user (kate) via ACL to the file (/home/john/file.txt) :

$ setfacl -m user:kate:rw- /home/john/file.txt

6.- Verify the result :

$ getfacl /home/john/file.txt
getfacl: Removing leading '/' from absolute path names
# file: home/john/file.txt
# owner: john
# group: john
user::rwx user:kate:rw-
group::---
mask::rw-
other::---
User kate has read-write access to file.txt. Note the use of a 'mask' in order to restrict the ACLs that can be applied on file/directory, it can be changed with 'setfacl -m mask' command.

$ su - kate
kate-$ vi /home/john/file.txt
add --> kate
:wq!

kate-$ cat /home/john/file.txt
john kate


For more info about what can be done with ACLs use 'man getfact' and 'man setfacl'

Questions

1.- ACLs can be set-up in a directory with 700 permission (true/false)

2.- ACL can be set up in any filesystem type (true/false)

3.- The command 'getfacl /dir' displays the standard ACLs permission on /fir (true/false)

4.- Different ACLs can be set-up in different directories on the same filesystem ?

5.- Which command must be applied in order to grant read access to user 'kate' on /home/john/file.txt ?

Labs

1.- User 'admin' is the FTP admin on your server. Give full permission on /ftp to user admin without changing any standard permission on /ftp.

-- This page is part of Linux Server online tutorial --