In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
This article focuses on "how to use access control lists to protect files or directories in Linux". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor learn how to use access control lists to protect files or directories in Linux.
As system administrators, our first task is to effectively protect the data from being accessed by unauthorized people. We are all well aware of the permissions set with some helpful Linux commands, such as chmod, chown, and chgrp, but these default permission sets have some limitations and may not meet our requirements sometimes. For example, we cannot set different permission sets for different users for the same directory or file. Therefore, access control list (ACL) arises at the historic moment.
Linux access Control list
For example, you have three users, namely "tecmint1", "tecmint2" and "tecmint3". Each user has a common user group, such as "acl". User "tecmint1" wants only "tecmint2" users to read and access files owned by "tecmint1" users, and no one else has access to the file.
Access control lists (ACL) allow us to do the same. These ACL allow us to grant permissions to a user, to a user group, or to any group of users who are not in the user group list.
Note: according to the Red Hat product instructions, it provides ACL support for ext3 file systems and NFS export file systems.
How do I check ACL support in a Linux system?
Before moving on to the next step, you should make sure that ACL is supported on the existing kernel and mounted file systems.
1. Check if the kernel supports ACL.
Run the following command to check if ACL support is provided for the file system and if there is an POSIX_ACL=Y option (if N instead of Y appears, this means that the kernel does not support ACL and needs to be recompiled).
[root@linux] # grep-I acl / boot/config*
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y
two。 Check the required packages.
Before you start working on ACL, make sure you have the required packages installed. Here are the required packages that need to be installed using the yum or apt-get command.
[root@linux ~] # yum install nfs4-acl-tools acl libacl [on RedHat based systems] [tecmint@linux ~] $sudo apt-get install nfs4-acl-tools acl [on Debian based systems]
3. Check whether the mounted file system supports ACL.
Now check to see if the mounted file system is mounted with the ACL option. We can use the "mount" command to do the same check, as shown below.
[root@linux ~] # mount | grep-I root/dev/mapper/fedora-root on / type ext4 (rw,relatime,data=ordered)
In this case, however, it does not display acl by default. So, next we can use the acl option again to remount the mounted partition. But before moving on to the next step, we have another option: make sure you don't use the acl option to mount, because for newer systems, it may incorporate the default mount option.
[root@linux ~] # tune2fs-l / dev/mapper/fedora-root | grep aclDefault mount options: user_xattr acl
In the output above, you can see that the default mount option already supports acl. Another option is to remount the partition, as shown below.
[root@linux] # mount-o remount,acl /
Next, add the following entry to the / etc/fstab file to make it *.
/ dev/mapper/fedora-root / ext4 defaults,acl 1 1
Remount the partition again.
[root@linux] # mount-o remount /
4. For NFS servers.
On the NFS server, if the file system exported by the NFS server supports ACL,ACL and can be read by the NFS client, then the client system can use ACL.
To disable ACL on the NFS share, you have to add the option "no_acl" to the "/ etc/exportfs" file on the NFS server. If you want to disable it on the NSF client, use the "no_acl" option again during mount.
How to implement ACL support in Linux system?
There are two types of ACL:
◦ access ACL: access ACL is used to grant permissions for any file or directory.
◦ default ACL: the default ACL is used to grant / set access control lists for specific directories only.
The difference between accessing ACL and the default ACL is as follows:
◦ default ACL can only be used at the directory level.
Any subdirectories or files created by ◦ in this directory will inherit ACL from the parent directory. On the other hand, the file inherits the default ACL as its access ACL.
◦ We use "- d" to set the default ACL, and the default ACL is optional.
Before setting the default ACL
To set the default ACL for a specific file or directory, you can use the "getfacl" command. In the following example, getfacl is used to get the default ACL for the folder "Music".
[root@linux ~] # getfacl Music/# file: Music/# owner: root# user group: rootuser::rwxgroup::r-xother::r-xdefault:user::rwxdefault:group::r-xdefault:other::rw-
After setting the default ACL
To set the default ACL for a specific file or directory, use the "setfacl" command. In the following example, the setfacl command sets the new ACL (read and execute) for the folder "Music".
[root@linux ~] # setfacl-m d:o:rx Music/ [root@linux ~] # getfacl Music/# file: Music/# owner: root# user group: rootuser::rwxgroup::r-xother::r-xdefault:user::rwxdefault:group::r-xdefault:other::r-x
How to set up a new ACL
Use the "setfacl" command to set or modify any file or directory. For example, you want to grant read and write permissions to the user "tecmint1".
# setfacl-m u:tecmint1:rw / tecmint1/example
How to view ACL
Use the "getfacl" command to view the ACL of any file or directory. For example, to view the ACL on "/ tecmint1/example", use the following command.
# getfacl / tecmint1/example
# File: tecmint1/example/
# owner: tecmint1
# user group: tecmint1
User::rwx
User:tecmint1:rwx
User:tecmint2:r--
Group::rwx
Mask::rwx
Other::
How to delete an ACL
To delete the ACL of any file / directory, we can use the x and b options, as shown below.
# setfacl-x ACL file/directory # Delete only the specified ACL# setfacl of files / directories-b file/directory # Delete all ACL of files / directories
You might as well implement ACL into the following scenarios.
Both users (tecmint1 and tecmint2) have a common auxiliary group called "acl". We will create a directory owned by the "tecmint1" user and provide the user "tecmint2" with read and execute permissions on that directory.
Step 1: create two users and clear their passwords.
[root@linux ~] # for user in tecmint1 tecmint2
> do
> useradd $user
> passwd-d $user
> done
Removing password for user tecmint1.
Passwd: Success
Removing password for user tecmint2.
Passwd: Success
Step 2: create user groups and users for the auxiliary group.
[root@linux ~] # groupadd acl [root@linux ~] # usermod-G acl tecmint1 [root@linux ~] # usermod-G acl tecmint2
Step 3: create the directory / tecmint and change the ownership to tecmint1.
[root@linux ~] # mkdir / tecmint1
[root@linux ~] # chown tecmint1/ tecmint1/
[root@linux ~] # ls-ld / tecmint1/
Drwxr-xr-x 2 tecmint1 root 4096 Apr 17 14:46 / tecmint1/
[root@linux ~] # getfacl / tecmint1
Getfacl: Removing leading'/ 'from absolute path names
# File: tecmint1
# owner: tecmint1
# user group: root
User::rwx
Group::r-x
Other::r-x
Step 4: log in as tecmint1 and create a directory under the / tecmint folder.
[tecmint@linux ~] $su-tecmint1
Last login: Thu Apr 17 14:49:16 IST 2014 on pts/4
[tecmint1@linux ~] $cd / tecmint1/
[tecmint1@linux tecmint1] $mkdir example
[tecmint1@linux tecmint1] $ll
Total 4
Drwxrwxr-x 2 tecmint1 tecmint1 4096 Apr 17 14:50 example
[tecmint1@linux tecmint1] $whoami
Tecmint1
Step 5: now use "setfacl" to set ACL, so that "tecmint1" users will have all rwx (read, write, and execute) permissions, "tecmint2" users only have read permissions on the "example" folder, and other users do not have any permissions.
$setfacl-m u:tecmint1:rwx example/
$setfacl-muVOTECMINT2RAPHY-example/
$setfacl-m other:--- example/
$getfacl example/
# File: example
# owner: tecmint1
# user group: tecmint1
User::rwx
User:tecmint1:rwx
User:tecmint2:r--
Group::r-x
Mask::rwx
Other::
Step 6: now log in to the other terminal as another user (that is, "tecmint2") and change the directory to "/ tecmint1". Now try using the "ls" command, look at the contents, and then try to change the directory to see the difference, as shown below.
[tecmint@linux ~] $su-tecmint2
Last login: Thu Apr 17 15:03:31 IST 2014 on pts/5
[tecmint2@linux ~] $cd / tecmint1/
[tecmint2@linux tecmint1] $ls-lR example/
Example/:
Total 0
[tecmint2@linux tecmint1] $cd example/
-bash: cd: example/: Permission denied
[tecmint2@linux tecmint1] $getfacl example/
# File: example
# owner: tecmint1
# user group: tecmint1
User::rwx
User:tecmint1:rwx
User:tecmint2:r--
Group::rwx
Mask::rwx
Other::
Step 7: now grant the "tecmint2" user "execute" permission for the "example" folder, and then use the "cd" command to see what happens. The "tecmint2" user now has permission to view and change directories, but does not have permission to write anything.
[tecmint1@linux tecmint1] $setfacl-m u:tecmint2:r-x example/
[tecmint1@linux tecmint1] $getfacl example/
# File: example
# owner: tecmint1
# user group: tecmint1
User::rwx
User:tecmint1:rwx
User:tecmint2:r-x
Group::rwx
Mask::rwx
Other::
[tecmint@linux ~] $su-tecmint2
Last login: Thu Apr 17 15:09:49 IST 2014 on pts/5
[tecmint2@linux ~] $cd / tecmint1/
[tecmint2@linux tecmint1] $cd example/
[tecmint2@linux example] $getfacl. [tecmint2@linux example] $mkdir test
Mkdir: cannot create directory 'test': Permission denied
[tecmint2@linux example] $touch test
Touch: cannot touch 'test': Permission denied
Note: after implementing ACL, you will see that the "ls-l" output has an extra "+" symbol, as shown below.
[root@linux tecmint1] # ll
Total 4
Drwxrwx---+ 2 tecmint1 tecmint1 4096 Apr 17 17:01 example, I believe you have a better understanding of "how to use access control lists in Linux to protect files or directories", you might as well do it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.