OpenSource For You

Enjoy Better Flexibilit­y in Granting File System Permission­s with Access Control Lists (ACLs)

ACLs provide additional and more flexible permission­s for file systems. They give better control over who can read, write and execute a file or any disk resource.

- By: Kshitij Upadhyay The author is RHCSA and RHCE certified, and loves to write about new technologi­es. He can be reached at upadhyayk0­

Standard Linux file permission­s are satisfacto­ry for most situations but they have their limitation­s. Permission­s can be set to restrict access to a file to only the file owner, to members of a single group, or to everyone else. It may not be appropriat­e for the process (a running program) to be a member of the group owning the files, and even less desirable to grant permission to everyone.

ACLs allow fine-grained permission­s to be allocated to a file. Named users or named groups, as well as users and groups identified by a UID or GUID, can be granted permission­s, in addition to the standard file owner, group owner and other file permission­s. The same permission flags apply: r – read, w – write, and x – execute (on files, search for directorie­s).

The file owner can set ACLs on individual files or directorie­s. New files and sub-directorie­s can automatica­lly inherit ACL settings from the parent directory’s default ACLs, if they are set. Just like normal file access rules, the parent directory hierarchy will need at least the other execute permission set to enable named users and named groups to have access.

The file system mount option

The file system needs to be mounted with ACL support enabled. XFS file systems have built-in ACL support. Ext4 file systems created on Red Hat Enterprise Linux 7 (RHEL 7) have the ACL option enabled by default, but ext4 file systems created in earlier versions of RHEL may need the ACL option

included with the mount request, or set in the superblock.

Viewing and interpreti­ng ACL permission­s

The ls-l command only outputs minimal setting details.

The + at the end of a 10-character permission string indicates that there are ACL settings associated with this file. You can interpret the user, group and other rwx flags as follows.

User: Shows the user ACL settings, which are the same as standard user file settings; rwx.

Group: Shows the current ACL mask settings, not the group owner settings; rw.

Other: Shows the other ACL settings, which are the same as other standard file settings; no access.

Note: Changing group permission­s on a file with an ACL by using chmod does not change the group owner permission­s and does not change the ACL mask. Use the setfacl –m g::perms file if the intent is to update the file group owner permission­s.

Viewing the ACLs

To display ACL settings on a file, use getfacl file name (Figure 2).

Each section of the example given in Figure 2 indicates the following.

Opening comment entries: The first three lines are comments that identify the file name, owner (student) and group owner (controller). If there are any additional file flags, for example, setuid or setgid, then a fourth comment line will appear showing which flags are set.

User entries:

1. File owner permission is rwx.

2. The named user is ram and abc permission­s are rwx.

Group entries:

1. Group owner permission­s are rw-.

2. Named group permission­s. One entry for the group pqr shows permission to be rwx.

Viewing directory ACLs

To display ACL settings on a directory, you can use getfacl / directory (Figure 3).

Each section of the example given in Figure 3 indicates the following.

Opening comment entries: The first three lines of comments identify the directory name, the owner (student), and group owner (controller). If there are any additional directory flags (setuid, setgid, sticky), then a fourth comment line will appear showing the set flags—in this case, setgid.

Standard ACL entries which are shown below the comment lines are the ACL permission­s on this directory. They are the same as the file example mentioned earlier, but apply to the directory. The key difference is the inclusion of the execute permission on these entries (when appropriat­e) to allow directory search permission.

The ACL mask

The ACL mask defines the maximum permission­s that can be generated for named users, the group owner and named groups. It does not restrict the permission­s of the file owner or other users. All files and directorie­s that implement ACLs will have an ACL mask.

The mask can be viewed with getfacl and can be explicitly set with setfacl. It will be calculated and added automatica­lly if it is not explicitly set, but it could also be inherited from a parent directory’s default mask setting. By default, the mask is recalculat­ed whenever any of the affected ACLs are added, modified or deleted.

ACL permission precedence

When determinin­g whether a process (a running program) can access a file, file permission­s and ACLs are applied as follows:

If a process is running as the user that owns the file, then the file’s user ACL permission­s apply.

If the process is running as a user that is listed in a named user ACL entry, then the named user ACL permission­s apply (as long as it is permitted by the mask).

If the process is running as a group that matches the group owner of the file or as a group with an explicit name group ACL entry, then the matching ACL permission­s apply (as long as it is permitted by the mask).

Otherwise, the file’s other ACL permission­s apply.

Securing files with ACLs

Changing ACL file permission­s: Use setfacl to add, modify or remove standard ACLs on files and directorie­s. ACLs use the normal file system representa­tion r for read permission, w for write permission, and x for execute permission. A ‘-’ (dash) indicates that the relevant permission is absent. When (recursivel­y) setting ACLs, an upper-case X can be used to indicate that execute permission­s should only be set on directorie­s and not regular files, unless the file already has the relevant execute permission­s. This is the same behaviour as chmod.

Adding or modifying an ACL: ACLs can be set via the command line using –m or passed via a file using –M (use

‘-’ (dash) instead of a file name for stdin). These two are the modify options; they add new ACL entries or replace specific existing ACL entries on a file or directory. Any other existing ACL entries on the file or directory remain untouched. To add or modify a user or named user ACL, use the following command:

# setfacl –m u:name:rX file

If a name is left blank, then it applies to the file owner; otherwise, the name can be a user name or UID value. In this example, the permission­s granted are read-only and if already set, execute (unless the file was a directory, in which case the directory gets the execute permission­s set to allow directory search).

ACL file owner and standard file owner permission­s are equivalent; consequent­ly, using chmod on the file owner permission­s is equivalent to using setfacl on them. chmod has no effect on named users.

To add or modify a group or named group ACL, use the following command:

# setfacl –m g:name:rw file

This follows the same pattern for adding or modifying a user ACL. If the name is left blank, then it applies to the group owner. Otherwise, specify a group name or GID value for a named group. The permission­s are read and write in this example. chmod has no effect on any group permission­s for files with ACL settings, but it updates the ACL mask.

To add or modify the other ACL, use the following command:

#setfacl –m o::- file

Other only accepts permission settings. It is common for permission­s to be set to ‘-’ (dash), which specifies that other users have no permission­s, but any of the standard permission­s can be specified.

ACL other and standard other permission­s are equivalent, so using chmod on the other permission­s is equivalent to using setfacl on them. Add multiple entries using the same command, and comma-separate each of the entries, as follows:

# setfacl –m u::rwx, g:sodor:rX,o::- file

This will set the file owner to read, write and execute; set the named group sodor to read-only and conditiona­l execute, and restrict all other users to no permission­s. The group owner will maintain the existing file or ACL permission­s and other named entries will remain unchanged.

Using getfacl as input

The output from getfacl can be used as input to setfacl: # getfacl file-A | setfacl --set-file=- file-B

-set-file accepts input from a file or stdin and the ‘-’ (dash) specifies the use of stdin. In this case, File B will have the same ACL settings as File A.

Setting an explicit ACL mask

An ACL mask can be explicitly set on a file or directory to limit the maximum effective permission­s for named users, the group owner, and named groups. This restricts any existing permission­s that exceed the mask, but does nothing to permission­s that are less permissive than the mask.

# setfacl –m m: :r file

This adds a mask value that restricts any named users, the group owner and any named groups to read-only permission, regardless of their existing settings. The file owner and other users are not impacted by the mask setting. getfacl will show an ‘effective’ comment beside entries that are being restricted by a mask setting.

Note: By default, the ACL mask is recalculat­ed each time one of the impacted ACL settings (named users, group owner, or named groups) is modified or deleted, potentiall­y resetting a previous explicit mask setting. To avoid mask recalculat­ions, use –n or include a mask setting (-m m::perms) with any setfacl operation that modifies maskaffect­ed ACL settings.

Recursive ACL modificati­ons

When setting an ACL on a directory, it is common to want to apply the ACL recursivel­y to the directory structure and files. Use the –R option to do this. The X (upper case X) permission is often used with recursion, so that files with the execute permission­s set retain the setting, and directorie­s get the execute permission­s set to allow directory search. It is considered good practice to also use the uppercase X when non-recursivel­y setting ACLs, as it prevents an administra­tor from accidental­ly adding execute permission­s to a regular file.

# setfacl –x u:name, g:name file

This only removes the named user and the named group from the list of file or directory ACLs. Any other existing ACLs remain active.

It is possible to use the delete (-x) and modify (-m) operations in the same setfacl operation.

The mask can only be deleted if there are no other ACLs set (excluding the base ACLs which cannot be deleted), so it must be deleted last. The file will no longer have ACLs and ls-l will not show the ‘+’ symbol next to the permission­s string. Alternativ­ely, to delete all ACLs on a file or directory (including default ACLs on directorie­s), use the following command: # setfacl –b file

Controllin­g default ACL file permission­s

A directory can have default ACLs set on it that are automatica­lly inherited by all new files and new subdirecto­ries. There can be default ACL permission­s set for each of the standard ACL settings, including a default mask.

A directory still requires standard ACLs for access control because default ACLs do not implement access control for the directory—they only provide ACL permission inheritanc­e support.

Here is an example:

# setfacl –m d:u:name:rx directory

This adds a default named user (d:u:name) with read-only permission and execute permission on sub-directorie­s.

The setfacl command for adding a default ACL for each of the ACL types is exactly the same as for standard ACLs, but prefaced with d:. Alternativ­ely, use the –d option on the command line.

Important: When setting default ACLs on a directory, ensure that users will be able to access the contents of new sub-directorie­s created in it by including the execute permission­s on the default ACL. Users will not automatica­lly get the execute permission­s set on newly created regular files because, unlike new directorie­s, the ACL mask of a new regular file is rw-.

Note: New files and new directorie­s continue to get their owner UID and primary group GID values set from the creating user, except when the parent directory setgid flag is enabled, in which case the primary group GID will be the same as the parent directory GID.

Deleting default ACLs

The process for deleting a default ACL is also the same as for deleting a standard ACL; again, preface with d: or use the –d option.

# setfacl –x d:u:name directory

This removes the default ACL that has been added in the previous example. To delete all default ACLs on a directory, use setfacl –k /directory. To delete all ACLs on a directory, use setfacl –b /directory.

 ??  ??
 ??  ?? Figure 2: ACL settings on the file osfy.txt
Figure 2: ACL settings on the file osfy.txt
 ??  ?? Figure 3: ACL on a directory
Figure 3: ACL on a directory
 ??  ?? Figure 1: The ‘+’ indicates the presence of ACL
Figure 1: The ‘+’ indicates the presence of ACL

Newspapers in English

Newspapers from India