Linux acl tutorial, working with Access Control List

Working with ACL (Access Control List), it is useful when you want to allow or remove a user or group on directories and objects. I personally do not like too much, is all too “hidden” and whimsical for my taste. Though admittedly that in certain situations it may be the best solution.

A requirement to work with ACL is to have the volume mounted with the appropriate option. This is possible without dismounting or restart with the command:

Source   
mount -o remount -o acl /dev/mapper/vg_tester1-lv_root /

This instruction executes a remount of / adding the “acl” option.

Working with ACL is done with two commands:

getfacl [-aceEsRLPtpndvh] file …
An example call may be:
getfacl *

setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file …
The options that I use are:

  • -m, modify an acl_spec
  • -x, delete an acl_spec
  • -b, delete all entries ACL
  • -R, recursive.

acl_spec is:

  • u:user_name:rwx, user specification
  • g:group_name:rwx, group specification
  • o:rwx, other users
  • m:rwx, mask applied

Examples of call are:

Source   
setfacl -m u:prueba:rwx /home/prueba/tmp
setfacl -m g:www_data:rwx /home/prueba/tmp
setfacl -x u:prueba /home/prueba/tmp
setfacl -b /home/prueba/tmp
setfacl -R -b /home/prueba

Highly recommended reading man pages.

Assume an initial state:

Source   
[root@tester1 prueba]# pwd
/root/prueba
[root@tester1 prueba]# ls -l
total 40
-rw-r-xr--. 1 root root 18752 mar 7 09:44 fich2.txt
-rw-r-xr--. 1 root root 18752 mar 6 16:52 fich.txt
[root@tester1 prueba]# getfacl *
# file: fich2.txt
# owner: root
# group: root
user::rw-
group::r-x
other::r--
# file: fich.txt
# owner: root
# group: root
user::rw-
group::r-x
other::r--

In the /root/prueba, there are 2 files with no ACL defined. It is a location for exclusive use by the root user, but suppose you want to give access to /root/prueba/fich.txt rw file to a user “prueba”.

It is necessary to allow access to /root to /root/prueba and finally /root/prueba/fich.txt, this can be done with the commands:

Source   
setfacl -m u:prueba:--x /root
setfacl -m u:prueba:--x /root/prueba
setfacl -m u:prueba:wr- /root/prueba/fich.txt

When there is any definition ACL, an ls -l displays a +:

Source   
[root@tester1 prueba]# pwd
/root/prueba
[root@tester1 prueba]# ls -l
total 44
-rw-r-xr--. 1 root root 18752 mar 7 09:44 fich2.txt
-rw-rwxr--+ 1 root root 18752 mar 6 16:52 fich.txt
[root@tester1 prueba]# getfacl *
# file: fich2.txt
# owner: root
# group: root
user::rw-
group::r-x
other::r--
# file: fich.txt
# owner: root
# group: root
user::rw-
user:prueba:rw-
group::r-x
mask::rwx
other::r--

Now the user “prueba” can access the file but does not list the contents of the intermediate directories:

Source   
[prueba@tester1 ~]$ ls /root
ls: cannot open directory /root: Permission denied
[prueba@tester1 ~]$ ls /root/prueba/
ls: cannot open directory /root/prueba/: Permission denied
[prueba@tester1 ~]$ ls -l /root/prueba/fich.txt
-rw-rwxr--+ 1 root root 18752 Mar 6 16:52 /root/prueba/fich.txt
[prueba@tester1 ~]$ tail /root/prueba/fich.txt
asdas
hola
ihola
dasd
fsadfsdf
sdfa
sf
[prueba@tester1 ~]$ echo "AGREGADO" >> /root/prueba/fich.txt
[prueba@tester1 ~]$ tail /root/prueba/fich.txt
hola
ihola
dasd
fsadfsdf
sdfa
sf
AGREGADO

The same could have done with a group.

To remove all traces:

Source   
setfacl -b /root
setfacl -R -b /root/prueba

It is also possible to deny any access explicitly with:

Source   
setfacl -m u:prueba:--- /tmp

It also allows working with masks:

Source   
[root@tester1 prueba]# setfacl -m u:prueba:r-x fich.txt
[root@tester1 prueba]# setfacl -m m:rw- fich.txt
[root@tester1 prueba]# getfacl *
# file: fich2.txt
# owner: root
# group: root
user::rw-
group::r-x
other::r--
# file: fich.txt
# owner: root
# group: root
user::rw-
user:prueba:r-x #effective:r--
group::r-x #effective:r--
mask::rw-
other::r--

It is noted that the effective permission is r instead of r-x, this is because it has applied rw- mask.

Leave a Reply