Secure Files/Directories using ACLs (Access Control Lists) in Linux
Secure Files/Directories using ACLs (Access Control Lists) in Linux
Let’s say, you have three users, ‘student1‘, ‘student2‘ and ‘student3‘. Each having common group say ‘acl’. User ‘student1‘ want that only ‘student2‘ user can read and access files owned by ‘student1‘ and no one else should have any access on that.
ACLs (Access Control Lists) allows us doing the same trick. These ACLs allow us to grant permissions for a user, group and any group of any users which are not in the group list of a user.
Note: As per Redhat Product Documentation, it provides ACL support for ext3 file system and NFS exported file systems.
How to Check ACL Support in Linux Systems
Before moving ahead you should have support for ACLs on current Kernel and mounted file systems.
1. Check Kernel for ACL Support
Run the following command to check ACL Support for file system and POSIX_ACL=Y option (if there is N instead of Y, then it means Kernel doesn’t support ACL and need to be recompiled).
grep -i acl /boot/config*
sophia@home:~$ grep -i acl /boot/config*
/boot/config-6.2.0-32-generic:CONFIG_XILINX_EMACLITE=m
/boot/config-6.2.0-32-generic:CONFIG_EXT4_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_REISERFS_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_JFS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_XFS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_BTRFS_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_F2FS_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_SHIFT_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_NTFS3_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_TMPFS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_JFFS2_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_EROFS_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_NFS_V3_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_NFSD_V3_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_NFS_ACL_SUPPORT=m
/boot/config-6.2.0-32-generic:CONFIG_CEPH_FS_POSIX_ACL=y
/boot/config-6.2.0-32-generic:CONFIG_9P_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_XILINX_EMACLITE=m
/boot/config-6.2.0-34-generic:CONFIG_EXT4_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_REISERFS_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_JFS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_XFS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_BTRFS_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_F2FS_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_SHIFT_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_NTFS3_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_TMPFS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_JFFS2_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_EROFS_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_NFS_V3_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_NFSD_V3_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_NFS_ACL_SUPPORT=m
/boot/config-6.2.0-34-generic:CONFIG_CEPH_FS_POSIX_ACL=y
/boot/config-6.2.0-34-generic:CONFIG_9P_FS_POSIX_ACL=y
2. Check Required Packages
Before starting playing with ACLs make sure that you have required packages installed. Below are the required packages that needs to be installed using yum or apt-get.
yum install nfs4-acl-tools acl libacl [on RedHat based systems]
sudo apt-get install nfs4-acl-tools acl [on Debian based systems]
3. Check Mounted File System for ACLs Support
Now, check the mounted file system that whether it is mounted with ACL option or not. We can use ‘mount‘ command for checking the the same as shown below.
# mount |grep -i root
/dev/mapper/vgubuntu-root on / type ext4 (rw,relatime,errors=remount-ro)
/dev/mapper/vgubuntu-root on /var/snap/firefox/common/host-hunspell type ext4 (ro,noexec,noatime,errors=remount-ro)
But in our case its not showing acl by default. So, next we have option to remount the mounted partition again using acl option. But, before moving ahead, we have another option to make sure that partition is mounted with acl option or not, because for recent system it may be integrated with default mount option.
# tune2fs -l /dev/mapper/vgubuntu-root |grep acl
Default mount options: user_xattr acl
In the above output, you can see that default mount option already have support for acl. Another option is to remount the partition as shown below.
# mount -o remount,acl /
Next, add the below entry to ‘/etc/fstab’ file to make it permanent.
/dev/mapper/vgubuntu-root / ext4 defaults,acl 1 1
Again, remount the partition.
# mount -o remount /
4. For NFS Server
On NFS server, if file system which is exported by NSF server supports ACL and ACLs can be read by NFS Clients, then ACLs are utilized by client System.
For disabling ACLs on NFS share, you have to add option “no_acl” in ‘/etc/exportfs‘ file on NFS Server. To disable it on NSF client side again use “no_acl” option during mount time.
How to Implement ACL Support in Linux Systems
There are two types of ACLs:
? Access ACLs: Access ACLs are used for granting permissions on any file or directory.
? Default ACLs: Default ACLs are used for granting/setting access control list on a specific directory only.
Difference between Access ACL and Default ACL:
? Default ACL can be used on directory level only.
? Any sub directory or file created within that directory will inherit the ACLs from its parent directory. On the other hand a file inherits the default ACLs as its access ACLs.
? We make use of “–d” for setting default ACLs and Default ACLs are optionals.
Before Setting Default ACLs
To determine the default ACLs for a specific file or directory, use the ‘getfacl‘ command. In the example below, the getfacl is used to get the default ACLs for a folder ‘Music‘.
root@home:/home/sophia# getfacl Music/
# file: Music/
# owner: sophia
# group: sophia
user::rwx
group::r-x
other::r-x
After Setting Default ACLs
To set the default ACLs for a specific file or directory, use the ‘setfacl‘ command. In the example below, the setfacl command will set a new ACLs (read and execute) on a folder ‘Music’.
root@home:/home/sophia# setfacl -m d:o:rx Music/
root@home:/home/sophia# getfacl Music/
# file: Music/
# owner: sophia
# group: sophia
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x
How to Set New ACLs
Use the ‘setfacl’ command for setting or modifying on any file or directory. For example, to give read and writepermissions to user ‘student1‘.
root@home:/home/student1# setfacl -m u:student1:rw /student1/example
How to View ACLs
Use the ‘getfacl‘ command for viewing ACL on any file or directory. For example, to view ACL on ‘/student1/example‘ use below command.
root@home:/home/student1# getfacl /student1/example
getfacl: Removing leading '/' from absolute path names
# file: student1/example
# owner: root
# group: root
user::rwx
user:student1:rw-
group::r-x
mask::rwx
other::r-x
领英推荐
How to Remove ACLs
For removing ACL from any file/directory, we use x and b options as shown below.
setfacl -x ACL file/directory # remove only specified ACL from file/directory.
setfacl -b file/directory #removing all ACL from file/direcoty
Let’s implement ACL’s on following scenario’s.
Two Users (student1 and student2), both having common secondary group named ‘acl‘. We will create one directory owned by ‘student1‘ and will provide the read and execute permission on that directory to user ‘studnet2‘.
Step 1: Create two users student1, student2
#adduser student1
#adduser student2
a Group and Users to Secondary Group.
# groupadd acl
Step 2: Create
# usermod -G acl student1
# usermod -G acl student2
Step 3: Create a Directory /student1 and change ownership to student1.
#mkdir /student1
#chown student1 /student1
# ls -ld /student1
drwxr-xr-x 3 student1 root 4096 Sep 18 12:56 /student1
# getfacl /student1
getfacl: Removing leading '/' from absolute path names
# file: student1
# owner: student1
# group: root
user::rwx
group::r-x
other::r-x
Step 4: Login with student1 and create a Directory in /student1 folder.
sophia@home:~$ su - student1
Password:
student1@home:~$ cd /student1
student1@home:/student1$ mkdir example
student1@home:/student1$ ls -la
total 12
drwxr-xr-x 3 student1 root 4096 Sep 18 13:23 .
drwxr-xr-x 22 root root 4096 Sep 18 12:56 ..
drwxrwxr-x 2 student1 student1 4096 Sep 18 13:23 example
student1@home:/student1$ whoami
student1
student1@home:/student1$
Step 5: Now set ACL using ‘setfacl‘, so that ‘student1‘ will have all rwx permissions, ‘student2‘ will have only read permission on ‘example‘ folder and other will have no permissions.
student1@home:/student1$ setfacl -m u:student1:rwx example/
student1@home:/student1$ setfacl -m u:student2:r-- example/
student1@home:/student1$ setfacl -m other:--- example/
student1@home:/student1$ getfacl example/
# file: example/
# owner: student1
# group: student1
user::rwx
user:student1:rwx
user:student2:r--
group::rwx
mask::rwx
other::---
Step 6: Now login with other user i.e. ‘student2‘ on another terminal and change directory to ‘/student1‘. Now try to view the contents using ‘ls‘ command and then try to change directory and see the difference as below.
student1@home:/student1$ su - student2
Password:
student2@home:~$ cd /student1
student2@home:/student1$ ls -lR example/
example/:
total 0
student2@home:/student1$ cd example/
-bash: cd: example/: Permission denied
student2@home:/student1$ getfacl example/
# file: example/
# owner: student1
# group: student1
user::rwx
user:student1:rwx
user:student2:r--
group::rwx
mask::rwx
other::---
Step 7: Now give ‘execute‘ permission to ‘student2‘ on ‘example‘ folder and then use ‘cd‘ command to see the effect. Now ‘student2‘ have the permissions to view and change directory, but don’t have permissions for writing anything.
student1@home:/student1$ setfacl -m u:student2:r-x example/
student1@home:/student1$ getfacl example/
# file: example/
# owner: student1
# group: student1
user::rwx
user:student1:rwx
user:student2:r-x
group::rwx
mask::rwx
other::---
student1@home:/student1$ su - student2
Password:
student2@home:~$ cd /student1/
student2@home:/student1$ cd example/
student2@home:/student1/example$ getfacl .
# file: .
# owner: student1
# group: student1
user::rwx
user:student1:rwx
user:student2:r-x
group::rwx
mask::rwx
other::---
student2@home:/student1/example$ mkdir test
mkdir: cannot create directory ‘test’: Permission denied
student2@home:/student1/example$ touch test
touch: cannot touch 'test': Permission denied
student2@home:/student1/example$
Note: After implementing ACL, you will see a extra ‘+‘ sign for ‘ls –l’ output as below.
student1@home:/student1$ ll
drwxrwx---+ 2 student1 student1 4096 Sep 18 13:23 example/
Please re-share it with your network if you like it.