acl | chouseknecht.com

RHCSA: File security with ACLs

March 23, 2012 2 Comments

File security in Linux is usually little more than using chown and chmod. We use chown to set the user and group that owns a file or directory. Chmod allows us to set read, write and execute privileges globally for users, groups and all. This level of security is pretty basic and straightforward.

What if more granular access control is needed? For example, we might want Bob to have read access to the /company/data/salary.dat file. Jane on the other hand needs read and write access. Both Jane and Bob are in the acctg group. Using ACLs we can solve this.

Adding ACL support begins by making sure the acl package is installed:

# yum install acl
# rpm -qa | grep acl
libacl-2.2.39-6.el5
acl-2.2.39-6.el5

The next step is to add ACL support to the specific volume where it will be used. Add acl to the list of options in /etc/fstab and then remount:

# vi /etc/fstab

tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/mapper/data        /company/data           ext4    defaults,usrquota,grpquota,acl  1 2

# mount -o remount /company/data
# mount | grep acl
/dev/mapper/data on /company/data type ext4 (rw,usrquota,grpquota,acl)

There are two commands to remember: getfacl and setfacl. There are no ACLs on the file, but let’s see what security currently looks like:

# getfacl salary.dat

# file: salary.dat
# owner: user01
# group: payroll
user::rw-
group::r--
mask::r--
other::---

Now let’s add the ACLs for Bob and Jane:

# setfacl -m u:bob:r salary.dat
# setfacl -m u:jane:rw salary.dat
# getfacl salary.dat

# file: salary.dat
# owner: user01
# group: payroll
user::rw-
user:bob:r--
user:jane:rw-
group::r--
mask::rw-
other::---

We can remove ACLs for Bob just as easily using the -x option:

# setfacl -x u:bob salary.dat
# getfacl salary.dat
# file: salary.dat
# owner: user01
# group: payroll
user::rw-
user:jane:rw-
group::r--
mask::rw-
other::---

If you can remember setfacl and getfacl, you’ll have no problem. And of course, don’t forget to start by updating /etc/fstab and remounting the volume.

Filed under Linux, Red Hat Certification Tagged with acl, RHCSA, security

Twitter Feed

Hey, baby... imgur.com/qjbtwIz --the full version. 3 days ago
RT @jpmens: Hey, Baby... tmblr.co/ZBqgysnPv0s2 3 days ago
RT @QuipTweets: The world has never hated a music more universally than “World Music” ~ @adamcarolla 4 days ago
RT @jpmens: Ansible GUI and its REST API look really cool now already. People who like shiny buttons are going to love it! #ansiblefest #de… 5 days ago
Perfect day on Oak Island. #lifeisgood http://t.co/tejBcUo4CG 2 weeks ago

Follow @chouseknecht

chouseknecht.com

RHCSA: File security with ACLs

Follow Me

Twitter Feed

Tag cloud

Favorite Quotes

Admin

Follow “chouseknecht.com”

chouseknecht.com

RHCSA: File security with ACLs

Share this:

Like this:

Follow Me

Twitter Feed

Tag cloud

Favorite Quotes

Admin

Follow “chouseknecht.com”