March 23, 2012 2 Comments
File security in Linux is usually little more than using chown and chmod. We use chown to set the user and group that owns a file or directory. Chmod allows us to set read, write and execute privileges globally for users, groups and all. This level of security is pretty basic and straightforward.
What if more granular access control is needed? For example, we might want Bob to have read access to the /company/data/salary.dat file. Jane on the other hand needs read and write access. Both Jane and Bob are in the acctg group. Using ACLs we can solve this.
Adding ACL support begins by making sure the acl package is installed:
# yum install acl # rpm -qa | grep acl libacl-2.2.39-6.el5 acl-2.2.39-6.el5
The next step is to add ACL support to the specific volume where it will be used. Add acl to the list of options in /etc/fstab and then remount:
# vi /etc/fstab tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/mapper/data /company/data ext4 defaults,usrquota,grpquota,acl 1 2 # mount -o remount /company/data # mount | grep acl /dev/mapper/data on /company/data type ext4 (rw,usrquota,grpquota,acl)
There are two commands to remember: getfacl and setfacl. There are no ACLs on the file, but let’s see what security currently looks like:
# getfacl salary.dat # file: salary.dat # owner: user01 # group: payroll user::rw- group::r-- mask::r-- other::---
Now let’s add the ACLs for Bob and Jane:
# setfacl -m u:bob:r salary.dat # setfacl -m u:jane:rw salary.dat # getfacl salary.dat # file: salary.dat # owner: user01 # group: payroll user::rw- user:bob:r-- user:jane:rw- group::r-- mask::rw- other::---
We can remove ACLs for Bob just as easily using the -x option:
# setfacl -x u:bob salary.dat # getfacl salary.dat # file: salary.dat # owner: user01 # group: payroll user::rw- user:jane:rw- group::r-- mask::rw- other::---
If you can remember setfacl and getfacl, you’ll have no problem. And of course, don’t forget to start by updating /etc/fstab and remounting the volume.