This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.

Please visit our production wiki at https://wiki.gentoo.org

Filesystem/Access Control List Guide

From Gentoo Wiki (test)
Jump to:navigation Jump to:search
Article status
This article has some todo items:
Warning
This article has been flagged as dirty for not conforming to the wiki guidelines. It is now grouped in the list of articles to be cleaned.

Extended Access Control Lists (ACLs) are one of the more important features on multiuser systems. They facilitate more control over files than do the basic POSIX User, Group, and Other permissions.

POSIX basic ACL

For instance:

user $ls -al /var/www/
total 54632
drwxr-xr-x 12 root    root        4096 Jan  4 02:17 .
drwxr-xr-x 14 root    root        4096 Dec 11 11:50 ..
drwxr-xr-x  2 apache  apache       135 Dec 11 17:48 apache2
-rw-r-----  1 root    root       25085 Jan  4 14:26 dmesg
-rw-rw----  1 portage portage    22088 Jan  4 01:06 emerge-fetch.log
-rw-rw----  1 portage portage  1498948 Jan  4 04:06 emerge.log
-rw-------  1 root    root       32480 Dec 30 21:30 faillog
-rw-r--r--  1 root    root      628240 Nov  6 01:47 genkernel.log
-rw-r--r--  1 root    root      296380 Jan  4 18:43 lastlog
-rw-------  1 root    root    47973000 Jan  4 19:40 messages
drwxr-xr-x  2 mysql   mysql         82 Dec 11 22:04 mysql
drwxrwx---  2 named   named       4096 Jan  3 18:09 named
drwxr-xr-x  2 root    root          18 May 14  2010 news
drwxr-xr-x  3 root    root      167936 Jan  4 04:24 portage
-rw-r--r--  1 root    root       88301 Jan  4 14:26 rc.log
drwxr-xr-x  3 root    root        4096 Jan  2 02:55 samba
drwxrwx---  2 root    portage       37 Dec 11 15:21 sandbox
-rw-------  1 root    root       64960 Jan  2 02:59 tallylog
-rw-------  1 root    root         560 Nov 11 02:35 vsftpd.log
drwxr-xr-x  2 root    root          63 Sep 12  2010 webmin
-rw-rw-r--  1 root    utmp     1178112 Jan  4 18:43 wtmp

For example: 

drwxr-xr-x  2 apache  apache       135 Dec 11 17:48 apache2
Breakdown Description
d Directory
rwx User: Apache
Access: (r)Read, (w)Write, (x)Execuate
r-x Group: Apache
Access: (r)Read, (-)None, (x)Execuate
r-x Other: All Other Uers
Access: (r)Read, (-)None, (x)Execuate
apache Directory belong to user apache
apache Directory belong to group apache
135 Size
Dec 11 Last Modified Date
17:48 Last ModifiedTime
apache2 Folder/File Name
Note
Missing on SGID and sticky bit

What is missing?

1. What happens if more than one user needs control of this directory? One solution is to add these users to the "apache" group. However, these users would then have access to everything the "apache" group has access. This is not what we want.

2. What happens if we need another group to have read/write access to this directory but no other users? In the same way, we can add all the other group users and the "apache" user to another group and let them have access to said group.

But what happens if you want to allow this group to read but not to write?

POSIX Basic ACL has its limitations. "Extended ACL" fixes many of these issues.

Kernel

Each filesystem must include support for extended access control from the kernel before it can be used by the application.

Enable the one(s) needed:

KERNEL Ext2 ACL
File systems
   Second extended fs support
      Ext2 extended attributes
        Ext2 POSIX Access Control Lists
KERNEL Ext3 ACL
File systems
   Ext3 journalling file system support
      Ext3 extended attributes
        Ext3 POSIX Access Control Lists
KERNEL Ext4 ACL
File systems
   The Extended 4 (ext4) filesystem
      Ext4 POSIX Access Control Lists
KERNEL ReiserFS ACL
File systems
   Reiserfs support
      ReiserFS extended attributes
        ReiserFS POSIX Access Control Lists
        ReiserFS Security Labels
KERNEL JFS ACL
File systems
   JFS filesystem support
      JFS POSIX Access Control Lists
KERNEL XFS ACL
File systems
   XFS filesystem support
      XFS POSIX ACL support
KERNEL Btrfs ACL
File systems
   Btrfs filesystem support
      Btrfs POSIX Access Control Lists

Save your changes and recompile your kernel and boot from it.

Emerge

Now emerge the ACL tools to start using ACL:

root #emerge --ask sys-apps/acl

ext2/3/4 /etc/fstab with ACL support

Some filesystems like xfs and ext4 enable extended ACL by default when mounted.

Other filesystems may require extra mount options to enable extended ACL. Just add the ACL options in /etc/fstab:

FILE /etc/fstab
/dev/hda1               /               reiserfs        noatime,user_xattr,acl      0 1

Re-mount the partition with the acl option to finish.

Running extended ACL

How do we know that extended ACL is running correctly?

You will be able to do the following:

  • Set/Modify ACL
  • Get/Read ACL
  • ACL Mask

Set/Modify ACL

To set ACLs the setfacl command must be invoked. You can read the man page for setfacl for more options

To add username to have read, write and execute on /testfiles:

root #setfacl -m u:username:rwx /testfiles

To add username to have +write access on /testfiles:

root #setfacl -m u:username:+w /testfiles

To add default user access right to read and write on testfolder folder:

root #setfacl -m d:u:username:rw testfolder/

To add groupname to have read, write and execute on /testfiles:

root #setfacl -m g:groupname:rwx /testfiles

To add groupname to have recursive +execute on testfolder:

root #setfacl -R -m g:groupname:+x testfolder/

To add default group access right to read and write on testfolder folder

root #setfacl -m d:g:groupname:rw testfolder/

Get/Read ACL

To get ACL we need to run the getfacl command. Read getfacl's man page for more options.

To get ACL on /testfiles:

root #getfacl /testfiles
# file: testfiles
# owner: root
# group: root
user::rw-
user:username:r-x
group::r--
mask::r-x
other::r--

ACL Mask

Note
Todo

Remove ACL

Removing ACL is simple.

Remove ACL on /testfiles

root #setfacl -b /testfiles

Remove default ACL on testfolder:

root #setfacl -k testfolder/

Which files/folders are under ACL control?

How do you know that your files are under ACL without running getfacl on all files?

The command ls will show a + sign if it uses ACL.

Notice the + sign on apache2 and also named.

user $ls -al /var/www/
total 54632
drwxr-xr-x 12 root    root        4096 Jan  4 02:17 .
drwxr-xr-x 14 root    root        4096 Dec 11 11:50 ..
drwxr-xr-x+ 2 apache  apache       135 Dec 11 17:48 apache2
-rw-r-----  1 root    root       25085 Jan  4 14:26 dmesg
-rw-rw----  1 portage portage    22088 Jan  4 01:06 emerge-fetch.log
-rw-rw----  1 portage portage  1498948 Jan  4 04:06 emerge.log
-rw-------  1 root    root       32480 Dec 30 21:30 faillog
-rw-r--r--  1 root    root      628240 Nov  6 01:47 genkernel.log
-rw-r--r--  1 root    root      296380 Jan  4 18:43 lastlog
-rw-------  1 root    root    47973000 Jan  4 19:40 messages
drwxr-xr-x  2 mysql   mysql         82 Dec 11 22:04 mysql
drwxrwx---+ 2 named   named       4096 Jan  3 18:09 named
drwxr-xr-x  2 root    root          18 May 14  2010 news
drwxr-xr-x  3 root    root      167936 Jan  4 04:24 portage
-rw-r--r--  1 root    root       88301 Jan  4 14:26 rc.log
drwxr-xr-x  3 root    root        4096 Jan  2 02:55 samba
drwxrwx---  2 root    portage       37 Dec 11 15:21 sandbox
-rw-------  1 root    root       64960 Jan  2 02:59 tallylog
-rw-------  1 root    root         560 Nov 11 02:35 vsftpd.log
drwxr-xr-x  2 root    root          63 Sep 12  2010 webmin
-rw-rw-r--  1 root    utmp     1178112 Jan  4 18:43 wtmp
Retrieved from "https://wikitest.gentoo.org/index.php?title=Filesystem/Access_Control_List_Guide&oldid=587084"