Access control lists explained (getfacl/setfacl)

Access control lists explained (getfacl/setfacl)

by -
1 889

We can  set acl on directory  but Standard Unix permissions might not be enough for some organisations. Here we  introduce  access control lists or acl’s to further protect files and directories.

acl in /etc/fstab

Here I created a harddisk partition for the demo purpose, Using fdisk command, then make entry in /etc/fstab for permanent mounting. File systems that support access control lists, or acls, have to be mounted with the acl option listed in /etc/fstab. In the example below, you can see that the root file system has acl support, whereas /home/data does not.

Testing  drive for mounting disk

# mkdir  /data

# mount  -t ext3 /dev/sdb1  /data

Disk will be mounted on mount point /data

To make it permanent , make entry in /etc/fstab

[root@pc2 data]# vi  /etc/fstab

#
# /etc/fstab
# Created by anaconda on Thu Jun 30 20:13:13 2016
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk’
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg_pc2-lv_root /                       ext4    defaults        1 1
UUID=4154fbe1-3d9e-4b0b-834a-ef45900f32f2 /boot                   ext4    defaults        1 2
/dev/mapper/vg_pc2-lv_swap swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                     /sys                    sysfs   defaults        0 0
proc                      /proc                   proc    defaults        0 0
/dev/sdb1               /data                   ext3    defaults,acl        0 0                      <—–change here

then you have to reboot or run this command

# mount -o remount /data

check acl is to be activated

[root@pc2 data]# mount

/dev/mapper/vg_pc2-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/sdb1 on /data type ext3 (rw,acl)                                                <—————–show result here

getfacl

Reading acls can be done with /usr/bin/getfacl. This screenshot shows how to read the acl of file33 with getfacl.

[root@pc2 ~]# getfacl /data

getfacl: Removing leading ‘/’ from absolute path names

# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

setfacl

Writing or changing acls can be done with /usr/bin/setfacl. These screenshots show how to change the acl of file33 with setfacl.

To test creating some users

# useradd vikas
# passwd vikas
# useradd vivek
# passwd vivek

And creating files

# cd /data
# touch  file1 file2 file3

First we add user vikas with octal permission 7 to the acl.

# setfacl -m u:vikas:7 file1

# setfacl -m u:vivek:6 file1

The result is visible with getfacl.

[root@pc2 data]# getfacl file1

# file: file1
# owner: root
# group: root

user::rw-
user:vikas:rwx
user:vivek:rw-

group::r–
mask::rwx
other::r—

Remove an acl entry

The -x option of the setfacl command will remove an acl entry from the targeted file.

 

[root@pc2 data]# setfacl -x vikas  file1
[root@pc2 data]#
[root@pc2 data]# getfacl file1
# file: file1
# owner: root
# group: root

user::rw-
user:vivek:rw-
group::r–
mask::rw-
other::r—

Note that omitting the u or g when defining the acl for an account will default it to a user account.

Remove the complete acl

The -b option of the setfacl command will remove the acl from the targeted file.

[root@pc2 data]# setfacl -b  file1
[root@pc2 data]#
[root@pc2 data]# getfacl file1

# file: file1
# owner: root
# group: root

user::rw-
group::r–
other::r—

The acl mask

The acl mask defines the maximum effective permissions for any entry in the acl. This mask is calculated every time you execute the setfacl or chmod commands.

You can prevent the calculation by using the –no-mask switch.

[root@pc2 data]# setfacl –no-mask -m u:vikas:7 file1

[root@pc2 data]# getfacl file1

# file: file1
# owner: root
# group: root
user::rw-
user:vikas:rwx                  #effective:r–
group::r–
mask::r–
other::r—

These command can be write like these  too

# setfacl -m u:vikas:rwx file1

# setfacl -m u:vivek:wr- file1

In case of any group like it-dept

# setfacl –m g:it-dept:rwx  file1

 

Enjoy Linux…it works…!!

 

CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 889

0 572

1 COMMENT

Leave a Reply

Required Captcha *