Live as if you were to die tomorrow. Learn as if you were to live forever.

Wednesday 29 November 2017

Access Control List (ACL)



ACL is used to set some special permissions on files or directories. 

As we know every file or directory have permissions for owner, group and other users but if you want to provide access to any other user without modifying current permissions of file or directory, in that case we can use the ACL.


Before applying ACL we have to perform some initial check.

             1. Check if acl package is installed or not.

      2. Check ACL support for mounted file system.

      
 1. Check if acl package is installed or not.

[root@vidya ~]# yum list acl
Installed Packages
acl.x86_64                                                 2.2.49-7.el6_9.1                                                 @updates

2. Check ACL support for mounted file system

Suppose we want to set acl on /home/vidya directory, so make sure that acl is enabled on file system where /home/vidya directory is present.

[root@vidya ~]# df -h /home/vidya
Filesystem                                            Size  Used Avail Use% Mounted on
/dev/mapper/vg_94762034-lv_root     29G  6.3G   21G  24%        /

Here, we can say that /home/vidya directory is present under mount /.

Now, check if acl is enabled for / mount point.
[root@vidya ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu May 10 16:43:17 2012
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg_94762034-lv_root                                 /                       ext4    defaults,acl        1 1
UUID=0eb7c5d4-1797-4b77-84de-14983906633d      /boot                   ext4    defaults        1 2
/dev/mapper/vg_94762034-lv_swap                            swap                    swap     defaults        0 0
tmpfs                                                                          /dev/shm                tmpfs   defaults        0 0
devpts                                                                        /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                                                                             /sys                    sysfs   defaults        0 0
proc                                                                            /proc                   proc    defaults        0 0
/dev/xvde1                                                                  /top                    ext4    defaults        0 0
/dev/xvde2                                                                 swap                   swap    defaults        0 0

Now, we have added acl for / mount point. Once you add the acl remount the partition or reboot the system.

[root@vidya ~]# mount -o remount  /
[root@vidya ~]#

Now enable ACL on files and directories.

There are two commands for ACL


          1.      getfacl : getfacl command is used to check the currently set permissions. 

          2.      setfacl : setfacl command is used to set the special permissions on files and directories.

For example:
[root@vidya ~]# ls -ld /home/vidya
drwx------. 3 vidya vidya 4096 Oct  5 16:47 /home/vidya

[root@vidya ~]# getfacl /home/vidya
getfacl: Removing leading '/' from absolute path names
# file: home/vidya
# owner: vidya
# group: vidya
user::rwx
group::---
other::---
[root@vidya ~]#
Here, we see user vidya have rwx permissions on /home/vidya directory but group and others don’t have any permission.


Now, we want to provide access to swati user without modifying the actual permissions of directory /home/vidya
[root@vidya ~]# setfacl -m u:swati:rwx /home/vidya
[root@vidya ~]#

[root@vidya ~]# getfacl /home/vidya
getfacl: Removing leading '/' from absolute path names
# file: home/vidya
# owner: vidya
# group: vidya
user::rwx
user:swati:rwx
group::---
mask::rwx
other::---
Here, we will see swati user have now rwx permissions for directory /home/vidya.


Now, fire ls –ld /home/vidya and observe the permissions.


[root@vidya ~]# ls –ld /home/vidya
drwx------+ 2 vidya vidya 4096 Oct 18 23:57 /home/vidya

Note: ACL enabled directory contains + after permissions.

To Remove all ACL

Use below command to remove all ACL.
[root@vidya ~]# setfacl -b /home/vidya
[root@vidya ~]#


To remove acl for particular user use below command
[root@vidya ~]# setfacl -x u:swati /home/vidya
[root@vidya ~]#