ACLs: Linux advanced privileges

acls

Another part of the RHCSA exam is some advanced privileges, mainly reading and setting Access Control Lists (ACLs). Again not too complicated, but its good to have some pointers.

Probably more familiar to you are standard POSIX permissions: permissions for the owner of a file, a group and all others. But what when you need more permissions than just these three? In come ACLs.

I’m working with CentOS, but it should be the same on any other distro.

The two commands to understand are ‘setfacl’ and ‘getfacl’. But first do a ‘ls -al’ on, for instance, the root home directory:

[root@centos7 ~]# ls -al
total 36
dr-xr-x---.  4 root root  175 Jun 27 02:44 .
dr-xr-xr-x. 17 root root  224 Jun 13 21:01 ..
-rw-------.  1 root root 1102 Jun 27 00:38 .bash_history
-rw-r--r--.  1 root root   18 Dec 28  2013 .bash_logout
-rw-r--r--.  1 root root  176 Dec 28  2013 .bash_profile
-rw-r--r--.  1 root root  176 Dec 28  2013 .bashrc
-rw-r--r--.  1 root root  100 Dec 28  2013 .cshrc
drwxr-xr-x+  2 root root    6 Jun 27 02:44 mytestdir
-rw-r--r--+  1 root root    5 Jun 27 02:44 mytestfile

As you probably know since you are reading about advanced permission and not basic permissions, these characters are representing the type (d), owner (r-x), the group (r-x) and others (—):

dr-xr-x---.

But mind the small . on the end. The dot means that a SELinux context is active on the file (as with all files in a RHEL based system). When this . is a + it means that ACLs are set!

Get a closer look at them with:

# getfacl mytestfile

You can see that besides the group ‘root’ a group called ‘extrastaff’ has read permissions to this file:

# file: mytestfile
# owner: root
# group: root
user::rw-
group::r--
group:extrastaff:r--
mask::r--
other::r--

These examples are very simple of course, but you get the idea. Now let’s edit some. Add user ‘tom’ with read permission:

# setfacl -m u:tom:r-- mytestfile

And ‘wendy’ can also write to the file:

# setfacl -m u:wendy:rw- mytestfile

User ‘jack’ and any others shouldn’t be able to even read the file:

# setfacl -m u:jack:--- mytestfile
# setfacl -m o::--- mytestfile

And we want to modify the ACLs in such a way that the ‘extrastaff’ group can also write to the file, in addition to the current read privileges:

# setfacl -m g:extrastaff:rw- mytestfile

This all immediately shows what a couple of these letters mean.

  • -m is for modify
  • u is for user
  • g if for group
  • o is for others

Have a look at the current privileges:

# file: mytestfile
# owner: root
# group: root
user::rw-
user:tom:r--
user:wendy:rw-
user:jack:---
group::r--
group:extrastaff:rw-
mask::rw-
other::---

Introducing ACLs also introduce the ‘mask’. This determines the maximum level of allowed permissions on a file or folder. The mask is leading. When a user can read and write permissions but the mask is read, the user can only read.

Always set the mask (if needed of course) after applying normal privileges, like so:

# setfacl -m m::r mytestfile

You could test with ‘wendy’ and see that she cannot write to the file although her ACLs do allow it (but the mask don’t).

Setting ACLs recursive on directories can be done with the -R flag:

# setfacl -R -m u:jack:--- mytestdir

Then there are defaults that you can set on a directory. This determines the default ACLs on all child directories and files. Let’s say by default you want to have the group ‘extrastaff’ to have all permissions (files will be without the execute permission though):

# setfacl -d -m g:extrastaff:rwx mytestdir

And now you’ll want the exact same permissions on a new directory. Simple:

# mkdir mynewdir
# getfacl mytestdir | setfacl --set-file=- mynewdir

Finally let’s remove some ACLs. Remove defaults:

# setfacl -k mynewdir

Remove a specific user or group:

# setfacl -x u:wendy: mytestfile

Remove all:

# setfacl -b mytestfile

One final note that might be good to know is that when copying files or folders, ACLs won’t be preserved where while moving them, you’ll keep them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.