ACLs Allow file-grained permissions
to be allocated to a files and directories. Often, You want to share files
among certain groups and specific users. It is a good practice to designate a
directory for that purpose. You want to allow those groups and users to read,
write and execute files in that directory, as well as create new files into the
directory. Such special permissions can be given using ACL.
In ACL the permission flags apply: “r”
– read, “w” – write, “x” – execute on files or directories.
File system mount option
ACL can be applied on ACL enabled
partition that means you need to enable
ACL while mounting the partition. But XFS file systems have built-in ACL
support. EXT4, EXT3, EXT2 file systems created on Centos7/RHEL7
have the acl option enabled by default, but EXT4, EXT3, EXT2
file systems created in earlier version of Centos or RHEL may need the acl
option included with the mount request.
Note: If you are using a earlier version of Centos, RHEL or Fedora
you may need add acl option while mounting the disk, using below syntax
command.
#mount -o acl <Partition Name>
<Mount Point>
In our case acl by default, To make
sure that partition is mounted with acl option or not, check using below
command.
[root@server1
/]# tune2fs -l /dev/aclvg/acllv | grep acl
Default
mount options: user_xattr acl
[root@server1
/]#
Before starting with ACLs make sure
that you have required packages installed.
[root@server1
~]# yum install acl libacl [RPM
based systems]
[gaurav@client2
~]$ sudo apt-get install acl [Debian Based systems]
1.) Check how acl will
work.
There are two types of ACLs; Default
ACLs and Access ACLs. Let’s check the default permission (Default ACLs) and acl
permission (Access ACLs) on files or directories. Use the getfacl
command.
#getfacl <option> <dir/file
name>
Options:
-d
Displays the defaults ACL.
-R Recurses into subdirectories.
-R Recurses into subdirectories.
[root@server1
~]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
group::r-x
other::r-x
As above shows the default
permission of /storage directory. Now let’s assign full permission to
the directory and then apply acl on it,so that we can analyze how acl will
work.
[root@server1
~]# chmod 777 /storage/
[root@server1
~]# ls -ld /storage/
drwxrwxrwx.
3 root root 4096 Sep 28 22:27 /storage/
[root@server1
~]#
Now we are ready to apply acl, but
first lets understand the command and options in details. The syntax to apply
acl is;
#setfacl <option>
<file/directory name>
Options:
-m
Modifies an ACL.
-x Removes an ACL.
-R Recurses into subdirectories.
-x Removes an ACL.
-R Recurses into subdirectories.
The possible arguments are
u: user
g: group
o: others
g: group
o: others
Now, To assign read and execute
permission to a particular user the syntax is;
#setfacl -m
u:<username>:<permission> <file or dir name>
#setfacl -m u:anil:rx /storage
[root@server1
~]# setfacl -m u:anil:rx /storage
[root@server1
~]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
user:anil:r-x
group::rwx
mask::rwx
other::rwx
[root@server1
~]#
As shows above, anil user have the
permission read and execute the /storage directory.
Now login as “anil” user and
try to create a file inside /storage directory, as we have not assigned
write permission to “anil” user, though it is having full permission,
still it will not allow “anil” to create file inside it.
[root@server1
~]# su - anil
Last
login: Wed Sep 28 22:10:56 EDT 2016 on pts/1
[anil@server1
~]$ cd /storage/
[anil@server1
storage]$ touch sandetails.txt
touch:
cannot touch ‘sandetails.txt’: Permission denied
[anil@server1
storage]$ ls -ld /storage/
drwxrwxrwx+
3 root root 4096 Sep 28 22:27 /storage/
[anil@server1
storage]$
Observe that when you check for the
permission it is showing a “+” sign after normal permission, that
indicate that ACL is applied on this directory.
2.) To assign
read,write and execute permission to anil user.
# setfacl -m u:anil:rwx
/storage
[root@server1
/]# setfacl -m u:anil:rwx /storage
[root@server1
/]# su - anil
Last
login: Wed Sep 28 22:56:49 EDT 2016 on pts/0
[anil@server1
~]$ cd /storage/
[anil@server1
storage]$ touch sandetails.txt
[anil@server1
storage]$ ll
total
24
drwx------.
2 root root 16384 Sep 28 22:27 lost+found
-rw-rw-r--.
1 anil anil 0 Sep 28 23:13 sandetails.txt
[anil@server1
storage]$
After assign the permission of
execution “anil” user can create the files.
3.) Assigning read and
execute permission for a user and group.
#setfacl -m u:anil:rx,g:Network:rx
/storage
[root@server1
/]# getent group | grep Network
Network:x:1005:sam,frank
[root@server1
/]# setfacl -m u:anil:rx,g:Network:rx /storage
[root@server1
/]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
user:anil:r-x
group::rwx
group:Network:r-x
mask::rwx
other::rwx
4.) Removing acl for a
particular user and group.
#setfacl -x u:<username>
<file name/Directory Name>
[root@server1
/]# setfacl -x u:anil /storage
[root@server1
/]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
group::rwx
group:Network:r-x
mask::rwx
other::rwx
#setfacl -x g:<group name>
<file/Directory Name>
[root@server1
/]# setfacl -x g:Network /storage
[root@server1
/]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
group::rwx
mask::rwx
other::rwx
You can also use of “-b” option
to remove all ACL permission from a file and directory, syntax as follow.
#setfacl -b <file/directory
name>
For example, Lets apply back some
acl to “storage” directory and remove it using above command.
[root@server1
/]# setfacl -m u:anil:rwx,g:Network:rwx /storage
[root@server1
/]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
user:anil:rwx
group::rwx
group:Network:rwx
mask::rwx
other::rwx
[root@server1
/]# setfacl -b /storage/
[root@server1
/]# getfacl /storage/
getfacl:
Removing leading '/' from absolute path names
#
file: storage/
#
owner: root
#
group: root
user::rwx
group::rwx
other::rwx
5.) Assign acl to the
file.
ACL can also be applied to a file in
exactly similar passion as we did for a directory.
#setfacl -m u:anil:rwx /storage/
[root@server1
/]# setfacl -m u:anil:rwx /storage/file1
setfacl:
/storage/file1: No such file or directory
[root@server1
/]# touch /storage/file1
[root@server1
/]# setfacl -m u:anil:rwx /storage/file1
[root@server1
/]# su - anil
Last
login: Wed Sep 28 23:13:50 EDT 2016 on pts/0
[anil@server1
~]$ echo "ACL is assign on file1" > /storage/file1
[anil@server1
~]$ cat /storage/file1
ACL
is assign on file1
[anil@server1
~]$
As you seen that “anil” user
can read, write and execute the file1 after assign the acl.!!!
No comments:
Post a Comment