Creating Access Control Lists

Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. The Red Hat Enterprise 5 / CentOS 5 have implemented ACLs in the file system by default. This new feature will allow you to set a file where one user can read, other users cannot read and yet other users are able to read and write to the same file. This was not possible previously.

Get the 500 Page Manual for Server Management

One of the dangers that acls attempt to avoid is allowing users to create files with 777 permissions, which become system wide security issues.

In CentOS 5 / RHEL 5 the acl is the default mount option. This means that when the system is setup all the file systems have the acl as active. These defaults may be viewed with the dumpe2fs or tune2fs commands.

# tune2fs -l /dev/sda1 | grep options

Default mount options: user_xattr acl

# dumpe2fs /dev/sda1 | grep options

dumpe2fs 1.39 (29-May-2006)

Default mount options: user_xattr acl

acls on New Partitions

If any new partitions are created the acl option will have to be installed. ACLs are activated when the administrator places the acl option on the file system of a directory. In the example, it shows how to manually install the acl on the / directory if it was not installed by default.

In this illustration the administrator has added the acl option to the / directory in the /etc/fstab file. As you can see the word "defaults" was replaced with "acl" and then the file was saved.

/dev/VolGroup00/LogVol00 / ext3 acl 1 1

LABEL=/boot1 /boot ext3 defaults 1 2

Once the file is saved remount the directory with the acl.

mount -o remount,acl /

acl Commands

The process of changing acls is fairly simple but sometimes understanding the implications are much more complex. There are a few commands that will help you make the changes for acls on individual files and directories.

getfacl file or directory

This command will list all of the current acls on the file or directory. For example if a user (tom) creates a file and gives acl rights to another user this is what the output would look like.

getfacl myfile

# file: myfile

# owner: tom

# group: tom

user::rw-

user:sue:rwx

group::rw-

mask::rwx

other::r--

The getfacl shows typical ownership as well as additional users who have been added with acls like sue in the example. It also provides the rights for a user. In the example, sue has rwx to the file myfile.

The setfacl command is used to create or modify the acl rights. For example if you wanted to change the acl for mike on a file you would use this command:

setfacl -m u:mike:rwx file or directory

The -m is to modify the acl and the "u" is for the user which is specifically named, "mike", followed by the rights and the file or directory. Change the "u" to a "g" and you will be changing group acls.

setfacl -m g:sales:rw file or directory

If you want to configure a directory so that all files that are created will inherit the acls of the directory you would use the "d" option before the user or group.

setfacl -m d:u:mike:rw directory

To remove rights use the "x" option.

setfacl -x u:mike file or directory

Backups with ACLs
One word of caution with backups using tar. Tar does backup ACLs, but you must use the - -acls option. There is a great deal of confusion about acls and tar. IN RHEL 5 the tar command has been given the ability to save file extensions, including acls. But...you must use the option both when you create the tar file and when you restore the tar file or you will lose your acls. Here is a step by step example.

# setfacl -m u:joe:rw NewFile

Now you will see that using the getfacl command there are acls on this file, NewFile.

# getfacl NewFile

# file: NewFile

# owner: root

# group: root

user::rw-

user:joe:rw-

user:tom:r--

group::rwx

mask::rwx

other::r--

# tar cvf /home/NewFile.tar NewFile - -acls

This command then creates the tar file with the acls.

#cd /home

#tar xvf NewFile.tar - -acls
This command will restore the file with the acls. Now you can see the acls have been maintained.

#getfacl NewFile

# file: NewFile

# owner: root

# group: root

user::rw-

user:joe:rw-

user:tom:r--

group::rwx

mask::rwx

other::r--

# setfacl -m u:joe:rw NewFile

Now you will see that using the getfacl command there are acls on this file, NewFile.

# getfacl NewFile

# file: NewFile

LAB....put into action what you learn

This lab will help you learn how to manage ACLs. All labs should be completed in a test environment.

1. Create a group called accounting.

groupadd accounting

Create 3 users, joe,jim and jane and put them in the accounting group.

Edit the /etc/group file and place them in the accounting group, separated by commas.

Create the /accounting directory, make accounting the group with access to the /accounting directory.

chown root:accounting /accounting

2. joe creates folders and sets permissions

mkdir /accounting/sales
mkdir /accounting/research

touch /accounting/sales/sales_report
touch /accounting/sales/decline

Add text to both and set these acls.

setfacl -m u:jim:rwx /accounting/sales/sales_report

setfacl -m u:jane:r /accounting/sales/decline

setfacl -m g:accounting:r /accounting/sales

Add text to the two files.

3. Test Permissions

Login as both jim and jane and try to read and write to the two files that are created.

4. Create a tar Backup of the /accounting Directory

tar cvf /home/accounting.tar /accounting - - acls

Expand the directory from the backup and verify acls. Move into the /home directory so it does not right over the existing /accounting directory.

cd /home

tar xvf accounting.tar --acls

Move into the directory and use getfacl to verify the acls.