- Linux Training
- Desktop Tutorials
- Server Tutorials
|Ubuntu Access Control Lists|
|Server Training - Server Management|
Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. One of the dangers that acls attempt to avoid is allowing users to create files with 777 permissions, which become system wide security issues. Ubuntu does not install acls by default, you must install them and configure the file system so that acls are active. ACLs are an important tool that administrators must understand as well as educate users how to employ them properly.
Install acls on Ubuntu 8.10
acls on New Partitions
Since acls are not installed on any partitions the administrator must activate acls.. In the example, it shows how to manually install the acl on the /home directory. In this illustration the administrator has added the acl option to the /home directory in the /etc/fstab file. As you can see the word "acl" follows a comma after ext3 and then the file was saved. CAUTION: make a backup of your /etc/frstab before you modify it so you can recover if you make a mistake.
UUID=27515417-03d4-4175-bcf3-e655a19a6cb2 /home ext3,acl relatime 0 2
Once the file is saved remount the directory with the acl.
mount -o remount,acl /home
getfacl file or directory
This command will list all of the current acls on the file or directory. For example if a user (tom) creates a file and gives acl rights to another user this is what the output would look like.
# file: myfile
# owner: tom
# group: tom
The getfacl shows typical ownership as well as additional users who have been added with acls like sue in the example. It also provides the rights for a user. In the example, sue has rwx to the file myfile.
The setfacl command is used to create or modify the acl rights. For example if you wanted to change the acl for mike on a file you would use this command:
setfacl -m u:mike:rwx file or directory
The -m is to modify the acl and the "u" is for the user which is specifically named, "mike", followed by the rights and the file or directory. Change the "u" to a "g" and you will be changing group acls.
setfacl -m g:sales:rw file or directory
If you want to configure a directory so that all files that are created will inherit the acls of the directory you would use the "d" option before the user or group.
setfacl -m d:u:mike:rw directory
To remove rights use the "x" option.
setfacl -x u:mike file or directory
Backups with ACLs
LAB....put into action what you learn
This lab will help you learn how to manage ACLs. All labs should be completed in a test environment.
1. Create a group called accounting.
chown root:accounting /home/accounting
Copyright CyberMontana Inc. and BeginLinux.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874