Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use access control lists to protect files or directories in Linux". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor learn how to use access control lists to protect files or directories in Linux.

As system administrators, our first task is to effectively protect the data from being accessed by unauthorized people. We are all well aware of the permissions set with some helpful Linux commands, such as chmod, chown, and chgrp, but these default permission sets have some limitations and may not meet our requirements sometimes. For example, we cannot set different permission sets for different users for the same directory or file. Therefore, access control list (ACL) arises at the historic moment.

Linux access Control list

For example, you have three users, namely "tecmint1", "tecmint2" and "tecmint3". Each user has a common user group, such as "acl". User "tecmint1" wants only "tecmint2" users to read and access files owned by "tecmint1" users, and no one else has access to the file.

Access control lists (ACL) allow us to do the same. These ACL allow us to grant permissions to a user, to a user group, or to any group of users who are not in the user group list.

Note: according to the Red Hat product instructions, it provides ACL support for ext3 file systems and NFS export file systems.

How do I check ACL support in a Linux system?

Before moving on to the next step, you should make sure that ACL is supported on the existing kernel and mounted file systems.

1. Check if the kernel supports ACL.

Run the following command to check if ACL support is provided for the file system and if there is an POSIX_ACL=Y option (if N instead of Y appears, this means that the kernel does not support ACL and needs to be recompiled).

[root@linux] # grep-I acl / boot/config*

CONFIG_EXT4_FS_POSIX_ACL=y

CONFIG_REISERFS_FS_POSIX_ACL=y

CONFIG_JFS_POSIX_ACL=y

CONFIG_XFS_POSIX_ACL=y

CONFIG_BTRFS_FS_POSIX_ACL=y

CONFIG_FS_POSIX_ACL=y

CONFIG_GENERIC_ACL=y

CONFIG_TMPFS_POSIX_ACL=y

CONFIG_NFS_V3_ACL=y

CONFIG_NFSD_V2_ACL=y

CONFIG_NFSD_V3_ACL=y

CONFIG_NFS_ACL_SUPPORT=m

CONFIG_CIFS_ACL=y

CONFIG_9P_FS_POSIX_ACL=y

two。 Check the required packages.

Before you start working on ACL, make sure you have the required packages installed. Here are the required packages that need to be installed using the yum or apt-get command.

[root@linux ~] # yum install nfs4-acl-tools acl libacl [on RedHat based systems] [tecmint@linux ~] $sudo apt-get install nfs4-acl-tools acl [on Debian based systems]

3. Check whether the mounted file system supports ACL.

Now check to see if the mounted file system is mounted with the ACL option. We can use the "mount" command to do the same check, as shown below.

[root@linux ~] # mount | grep-I root/dev/mapper/fedora-root on / type ext4 (rw,relatime,data=ordered)

In this case, however, it does not display acl by default. So, next we can use the acl option again to remount the mounted partition. But before moving on to the next step, we have another option: make sure you don't use the acl option to mount, because for newer systems, it may incorporate the default mount option.

[root@linux ~] # tune2fs-l / dev/mapper/fedora-root | grep aclDefault mount options: user_xattr acl

In the output above, you can see that the default mount option already supports acl. Another option is to remount the partition, as shown below.

[root@linux] # mount-o remount,acl /

Next, add the following entry to the / etc/fstab file to make it *.

/ dev/mapper/fedora-root / ext4 defaults,acl 1 1

Remount the partition again.

[root@linux] # mount-o remount /

4. For NFS servers.

On the NFS server, if the file system exported by the NFS server supports ACL,ACL and can be read by the NFS client, then the client system can use ACL.

To disable ACL on the NFS share, you have to add the option "no_acl" to the "/ etc/exportfs" file on the NFS server. If you want to disable it on the NSF client, use the "no_acl" option again during mount.

How to implement ACL support in Linux system?

There are two types of ACL:

◦ access ACL: access ACL is used to grant permissions for any file or directory.

◦ default ACL: the default ACL is used to grant / set access control lists for specific directories only.

The difference between accessing ACL and the default ACL is as follows:

◦ default ACL can only be used at the directory level.

Any subdirectories or files created by ◦ in this directory will inherit ACL from the parent directory. On the other hand, the file inherits the default ACL as its access ACL.

◦ We use "- d" to set the default ACL, and the default ACL is optional.

Before setting the default ACL

To set the default ACL for a specific file or directory, you can use the "getfacl" command. In the following example, getfacl is used to get the default ACL for the folder "Music".

[root@linux ~] # getfacl Music/# file: Music/# owner: root# user group: rootuser::rwxgroup::r-xother::r-xdefault:user::rwxdefault:group::r-xdefault:other::rw-

After setting the default ACL

To set the default ACL for a specific file or directory, use the "setfacl" command. In the following example, the setfacl command sets the new ACL (read and execute) for the folder "Music".

[root@linux ~] # setfacl-m d:o:rx Music/ [root@linux ~] # getfacl Music/# file: Music/# owner: root# user group: rootuser::rwxgroup::r-xother::r-xdefault:user::rwxdefault:group::r-xdefault:other::r-x

How to set up a new ACL

Use the "setfacl" command to set or modify any file or directory. For example, you want to grant read and write permissions to the user "tecmint1".

# setfacl-m u:tecmint1:rw / tecmint1/example

How to view ACL

Use the "getfacl" command to view the ACL of any file or directory. For example, to view the ACL on "/ tecmint1/example", use the following command.

# getfacl / tecmint1/example

# File: tecmint1/example/

# owner: tecmint1

# user group: tecmint1

User::rwx

User:tecmint1:rwx

User:tecmint2:r--

Group::rwx

Mask::rwx

Other::

How to delete an ACL

To delete the ACL of any file / directory, we can use the x and b options, as shown below.

# setfacl-x ACL file/directory # Delete only the specified ACL# setfacl of files / directories-b file/directory # Delete all ACL of files / directories

You might as well implement ACL into the following scenarios.

Both users (tecmint1 and tecmint2) have a common auxiliary group called "acl". We will create a directory owned by the "tecmint1" user and provide the user "tecmint2" with read and execute permissions on that directory.

Step 1: create two users and clear their passwords.

[root@linux ~] # for user in tecmint1 tecmint2

> do

> useradd $user

> passwd-d $user

> done

Removing password for user tecmint1.

Passwd: Success

Removing password for user tecmint2.

Passwd: Success

Step 2: create user groups and users for the auxiliary group.

[root@linux ~] # groupadd acl [root@linux ~] # usermod-G acl tecmint1 [root@linux ~] # usermod-G acl tecmint2

Step 3: create the directory / tecmint and change the ownership to tecmint1.

[root@linux ~] # mkdir / tecmint1

[root@linux ~] # chown tecmint1/ tecmint1/

[root@linux ~] # ls-ld / tecmint1/

Drwxr-xr-x 2 tecmint1 root 4096 Apr 17 14:46 / tecmint1/

[root@linux ~] # getfacl / tecmint1

Getfacl: Removing leading'/ 'from absolute path names

# File: tecmint1

# owner: tecmint1

# user group: root

User::rwx

Group::r-x

Other::r-x

Step 4: log in as tecmint1 and create a directory under the / tecmint folder.

[tecmint@linux ~] $su-tecmint1

Last login: Thu Apr 17 14:49:16 IST 2014 on pts/4

[tecmint1@linux ~] $cd / tecmint1/

[tecmint1@linux tecmint1] $mkdir example

[tecmint1@linux tecmint1] $ll

Total 4

Drwxrwxr-x 2 tecmint1 tecmint1 4096 Apr 17 14:50 example

[tecmint1@linux tecmint1] $whoami

Tecmint1

Step 5: now use "setfacl" to set ACL, so that "tecmint1" users will have all rwx (read, write, and execute) permissions, "tecmint2" users only have read permissions on the "example" folder, and other users do not have any permissions.

$setfacl-m u:tecmint1:rwx example/

$setfacl-muVOTECMINT2RAPHY-example/

$setfacl-m other:--- example/

$getfacl example/

# File: example

# owner: tecmint1

# user group: tecmint1

User::rwx

User:tecmint1:rwx

User:tecmint2:r--

Group::r-x

Mask::rwx

Other::

Step 6: now log in to the other terminal as another user (that is, "tecmint2") and change the directory to "/ tecmint1". Now try using the "ls" command, look at the contents, and then try to change the directory to see the difference, as shown below.

[tecmint@linux ~] $su-tecmint2

Last login: Thu Apr 17 15:03:31 IST 2014 on pts/5

[tecmint2@linux ~] $cd / tecmint1/

[tecmint2@linux tecmint1] $ls-lR example/

Example/:

Total 0

[tecmint2@linux tecmint1] $cd example/

-bash: cd: example/: Permission denied

[tecmint2@linux tecmint1] $getfacl example/

# File: example

# owner: tecmint1

# user group: tecmint1

User::rwx

User:tecmint1:rwx

User:tecmint2:r--

Group::rwx

Mask::rwx

Other::

Step 7: now grant the "tecmint2" user "execute" permission for the "example" folder, and then use the "cd" command to see what happens. The "tecmint2" user now has permission to view and change directories, but does not have permission to write anything.

[tecmint1@linux tecmint1] $setfacl-m u:tecmint2:r-x example/

[tecmint1@linux tecmint1] $getfacl example/

# File: example

# owner: tecmint1

# user group: tecmint1

User::rwx

User:tecmint1:rwx

User:tecmint2:r-x

Group::rwx

Mask::rwx

Other::

[tecmint@linux ~] $su-tecmint2

Last login: Thu Apr 17 15:09:49 IST 2014 on pts/5

[tecmint2@linux ~] $cd / tecmint1/

[tecmint2@linux tecmint1] $cd example/

[tecmint2@linux example] $getfacl. [tecmint2@linux example] $mkdir test

Mkdir: cannot create directory 'test': Permission denied

[tecmint2@linux example] $touch test

Touch: cannot touch 'test': Permission denied

Note: after implementing ACL, you will see that the "ls-l" output has an extra "+" symbol, as shown below.

[root@linux tecmint1] # ll

Total 4

Drwxrwx---+ 2 tecmint1 tecmint1 4096 Apr 17 17:01 example, I believe you have a better understanding of "how to use access control lists in Linux to protect files or directories", you might as well do it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.