Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. One of the dangers that acls attempt to avoid is allowing users to create files with 777 permissions, which become system wide security issues. Ubuntu does not install acls by default, you must install them and configure the file system so that acls are active. ACLs are an important tool that administrators must understand as well as educate users how to employ them properly.

Install acls on Ubuntu 8.10
sudo apt-get install acl

acls on New Partitions

Since acls are not installed on any partitions the administrator must activate acls.. In the example, it shows how to manually install the acl on the /home directory. In this illustration the administrator has added the acl option to the /home directory in the /etc/fstab file. As you can see the word "acl" follows a comma after ext3 and then the file was saved. CAUTION: make a backup of your /etc/frstab before you modify it so you can recover if you make a mistake.

# /dev/sda4

UUID=27515417-03d4-4175-bcf3-e655a19a6cb2 /home ext3,acl relatime 0 2

Once the file is saved remount the directory with the acl.

mount -o remount,acl /home

acl Commands
The process of changing acls is fairly simple but sometimes understanding the implications are much more complex. There are a few commands that will help you make the changes for acls on individual files and directories.

getfacl file or directory

This command will list all of the current acls on the file or directory. For example if a user (tom) creates a file and gives acl rights to another user this is what the output would look like.

getfacl myfile

# file: myfile

# owner: tom

# group: tom

user::rw-

user:sue:rwx

group::rw-

mask::rwx

other::r--

The getfacl shows typical ownership as well as additional users who have been added with acls like sue in the example. It also provides the rights for a user. In the example, sue has rwx to the file myfile.

The setfacl command is used to create or modify the acl rights. For example if you wanted to change the acl for mike on a file you would use this command:

setfacl -m u:mike:rwx file or directory

The -m is to modify the acl and the "u" is for the user which is specifically named, "mike", followed by the rights and the file or directory. Change the "u" to a "g" and you will be changing group acls.

setfacl -m g:sales:rw file or directory

If you want to configure a directory so that all files that are created will inherit the acls of the directory you would use the "d" option before the user or group.

setfacl -m d:u:mike:rw directory

To remove rights use the "x" option.

setfacl -x u:mike file or directory

Backups with ACLs
One word of caution with backups using tar. Red Hat /Centos distributions support acls in the tar program but Ubuntu does not support acls when backing up. This means that all acls will be lost when you create a backup. If Ubuntu wants to provide a server, they need to think about providing server quality applications.  acls without any way to retain them in a backup is not acceptable.

LAB....put into action what you learn

This lab will help you learn how to manage ACLs. All labs should be completed in a test environment.

1. Create a group called accounting.

groupadd accounting

Create 3 users, joe,jim and jane and put them in the accounting group.

Edit the /etc/group file and place them in the accounting group, separated by commas.

Create the /home/accounting directory, make accounting the group with access to the /home/accounting directory.

chown root:accounting /home/accounting

2. joe creates folders and sets permissions

mkdir /home/accounting/sales
mkdir /home/accounting/research

touch /home/accounting/sales/sales_report
touch /home/accounting/sales/decline

Add text to both and set these acls.

setfacl -m u:jim:rwx /home/accounting/sales/sales_report

setfacl -m u:jane:r /home/accounting/sales/decline

setfacl -m g:accounting:r /home/accounting/sales

Add text to the two files.

3. Test Permissions

Login as both jim and jane and try to read and write to the two files that are created.

Copyright CyberMontana Inc. and BeginLinux.com