This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Filesystem/Access Control List Guide
This article has been flagged as dirty for not conforming to the wiki guidelines. It is now grouped in the list of articles to be cleaned.
Extended Access Control Lists (ACLs) are one of the more important features on multiuser systems. They facilitate more control over files than do the basic POSIX User, Group, and Other permissions.
POSIX basic ACL
For instance:
user $
ls -al /var/www/
total 54632 drwxr-xr-x 12 root root 4096 Jan 4 02:17 . drwxr-xr-x 14 root root 4096 Dec 11 11:50 .. drwxr-xr-x 2 apache apache 135 Dec 11 17:48 apache2 -rw-r----- 1 root root 25085 Jan 4 14:26 dmesg -rw-rw---- 1 portage portage 22088 Jan 4 01:06 emerge-fetch.log -rw-rw---- 1 portage portage 1498948 Jan 4 04:06 emerge.log -rw------- 1 root root 32480 Dec 30 21:30 faillog -rw-r--r-- 1 root root 628240 Nov 6 01:47 genkernel.log -rw-r--r-- 1 root root 296380 Jan 4 18:43 lastlog -rw------- 1 root root 47973000 Jan 4 19:40 messages drwxr-xr-x 2 mysql mysql 82 Dec 11 22:04 mysql drwxrwx--- 2 named named 4096 Jan 3 18:09 named drwxr-xr-x 2 root root 18 May 14 2010 news drwxr-xr-x 3 root root 167936 Jan 4 04:24 portage -rw-r--r-- 1 root root 88301 Jan 4 14:26 rc.log drwxr-xr-x 3 root root 4096 Jan 2 02:55 samba drwxrwx--- 2 root portage 37 Dec 11 15:21 sandbox -rw------- 1 root root 64960 Jan 2 02:59 tallylog -rw------- 1 root root 560 Nov 11 02:35 vsftpd.log drwxr-xr-x 2 root root 63 Sep 12 2010 webmin -rw-rw-r-- 1 root utmp 1178112 Jan 4 18:43 wtmp
For example:
drwxr-xr-x 2 apache apache 135 Dec 11 17:48 apache2
Breakdown | Description |
---|---|
d | Directory |
rwx | User: Apache Access: (r)Read, (w)Write, (x)Execuate |
r-x | Group: Apache Access: (r)Read, (-)None, (x)Execuate |
r-x | Other: All Other Uers Access: (r)Read, (-)None, (x)Execuate |
apache | Directory belong to user apache |
apache | Directory belong to group apache |
135 | Size |
Dec 11 | Last Modified Date |
17:48 | Last ModifiedTime |
apache2 | Folder/File Name |
Missing on SGID and sticky bit
What is missing?
1. What happens if more than one user needs control of this directory? One solution is to add these users to the "apache" group. However, these users would then have access to everything the "apache" group has access. This is not what we want.
2. What happens if we need another group to have read/write access to this directory but no other users? In the same way, we can add all the other group users and the "apache" user to another group and let them have access to said group.
But what happens if you want to allow this group to read but not to write?
POSIX Basic ACL has its limitations. "Extended ACL" fixes many of these issues.
Kernel
Each filesystem must include support for extended access control from the kernel before it can be used by the application.
Enable the one(s) needed:
File systems Second extended fs support Ext2 extended attributes Ext2 POSIX Access Control Lists
File systems Ext3 journalling file system support Ext3 extended attributes Ext3 POSIX Access Control Lists
File systems The Extended 4 (ext4) filesystem Ext4 POSIX Access Control Lists
File systems Reiserfs support ReiserFS extended attributes ReiserFS POSIX Access Control Lists ReiserFS Security Labels
File systems JFS filesystem support JFS POSIX Access Control Lists
File systems XFS filesystem support XFS POSIX ACL support
File systems Btrfs filesystem support Btrfs POSIX Access Control Lists
Save your changes and recompile your kernel and boot from it.
Emerge
Now emerge the ACL tools to start using ACL:
root #
emerge --ask sys-apps/acl
ext2/3/4 /etc/fstab with ACL support
Some filesystems like xfs and ext4 enable extended ACL by default when mounted.
Other filesystems may require extra mount options to enable extended ACL. Just add the ACL options in /etc/fstab:
/etc/fstab
/dev/hda1 / reiserfs noatime,user_xattr,acl 0 1
Re-mount the partition with the acl option to finish.
Running extended ACL
How do we know that extended ACL is running correctly?
You will be able to do the following:
- Set/Modify ACL
- Get/Read ACL
- ACL Mask
Set/Modify ACL
To set ACLs the setfacl command must be invoked. You can read the man page for setfacl for more options
To add username to have read, write and execute on /testfiles:
root #
setfacl -m u:username:rwx /testfiles
To add username to have +write access on /testfiles:
root #
setfacl -m u:username:+w /testfiles
To add default user access right to read and write on testfolder folder:
root #
setfacl -m d:u:username:rw testfolder/
To add groupname to have read, write and execute on /testfiles:
root #
setfacl -m g:groupname:rwx /testfiles
To add groupname to have recursive +execute on testfolder:
root #
setfacl -R -m g:groupname:+x testfolder/
To add default group access right to read and write on testfolder folder
root #
setfacl -m d:g:groupname:rw testfolder/
Get/Read ACL
To get ACL we need to run the getfacl command. Read getfacl's man page for more options.
To get ACL on /testfiles:
root #
getfacl /testfiles
# file: testfiles # owner: root # group: root user::rw- user:username:r-x group::r-- mask::r-x other::r--
ACL Mask
Todo
Remove ACL
Removing ACL is simple.
Remove ACL on /testfiles
root #
setfacl -b /testfiles
Remove default ACL on testfolder:
root #
setfacl -k testfolder/
Which files/folders are under ACL control?
How do you know that your files are under ACL without running getfacl on all files?
The command ls
will show a +
sign if it uses ACL.
Notice the +
sign on apache2 and also named.
user $
ls -al /var/www/
total 54632 drwxr-xr-x 12 root root 4096 Jan 4 02:17 . drwxr-xr-x 14 root root 4096 Dec 11 11:50 .. drwxr-xr-x+ 2 apache apache 135 Dec 11 17:48 apache2 -rw-r----- 1 root root 25085 Jan 4 14:26 dmesg -rw-rw---- 1 portage portage 22088 Jan 4 01:06 emerge-fetch.log -rw-rw---- 1 portage portage 1498948 Jan 4 04:06 emerge.log -rw------- 1 root root 32480 Dec 30 21:30 faillog -rw-r--r-- 1 root root 628240 Nov 6 01:47 genkernel.log -rw-r--r-- 1 root root 296380 Jan 4 18:43 lastlog -rw------- 1 root root 47973000 Jan 4 19:40 messages drwxr-xr-x 2 mysql mysql 82 Dec 11 22:04 mysql drwxrwx---+ 2 named named 4096 Jan 3 18:09 named drwxr-xr-x 2 root root 18 May 14 2010 news drwxr-xr-x 3 root root 167936 Jan 4 04:24 portage -rw-r--r-- 1 root root 88301 Jan 4 14:26 rc.log drwxr-xr-x 3 root root 4096 Jan 2 02:55 samba drwxrwx--- 2 root portage 37 Dec 11 15:21 sandbox -rw------- 1 root root 64960 Jan 2 02:59 tallylog -rw------- 1 root root 560 Nov 11 02:35 vsftpd.log drwxr-xr-x 2 root root 63 Sep 12 2010 webmin -rw-rw-r-- 1 root utmp 1178112 Jan 4 18:43 wtmp