Debian 7.0
Sponsored Link

Access Control by ACL
2013/06/05
 
Configure ACL(Access Control Lists).
[1] Set ACL
For example, set ACL to the file "/home/test.txt".
root@dlp:~#
aptitude -y install acl
# set r(read) for "wheezy" user to /home/test.txt

root@dlp:~#
setfacl -m u:wheezy:r /home/test.txt
# after setting ACL, "+" is added on attribute

root@dlp:~#
ll /home/test.txt

-rwxr-----+ 1 root root 5 Jun  6 11:59 /home/test.txt

# confirm settings

root@dlp:~#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:wheezy:r--
group::---
mask::r--
other::---

# try to access with "wheezy"

wheezy@dlp:~$
cat /home/test.txt

ACL test file
# it can read normally
# try to access with another user

fedora@dlp:~$
cat /home/test.txt

cat: /home/test.txt: Permission denied
# it can not read normally
[2] Set ACL to a directory recursively.
# set r(read) for "wheezy" to "/home/testdir" recursively

root@dlp:~#
setfacl -R -m u:wheezy:r /home/testdir
root@dlp:~#
ll -laR /home/testdir

/home/testdir:
total 12
drwxr-----+ 2 root root 4096 Jun  6 14:23 .
drwxr-xr-x  6 root root 4096 Jun  6 14:23 ..
-rwxr-----+ 1 root root    9 Jun  6 14:23 testfile

root@dlp:~#
getfacl -R /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:wheezy:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile
# owner: root
# group: root
user::rwx
user:wheezy:r--
group::---
mask::r--
other::---
[3] Set ACL by group
# set rw(read/write) for "security" group to "/home/test.txt"

root@dlp:~#
setfacl -m g:security:rw /home/test.txt

root@dlp:~#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
group::---
group:security:rw-
mask::rw-
other::---
# try to access with "wheezy" user who in "security" group

wheezy@dlp:~$
echo "test write" >> /home/test.txt

wheezy@dlp:~$
cat /home/test.txt

ACL test file
test write
# it can write normally
# try to access with a user who in not in "security" group

fedora@dlp:~$
echo "test write" >> /home/test.txt

-bash: /home/test.txt: Permission denied
# it cannot write normally
[4] Remove ACL
# remove ACL from "/home/test.txt"

root@dlp:~#
setfacl -b /home/test.txt
# remove ACL only for "fedora" user on "/home/test.txt"

root@dlp:~#
setfacl -x u:fedora /home/test.txt
[5] Set default ACL to a directory.
If files/directories are created under the directory set default ACL, default access attribute is inherited.
But be careful, if you change attribute with "chmod", then ACL would be invalid.
root@dlp:~#
setfacl -m u:wheezy:r-x /home/testdir

# set default ACL "r-x(read/execute)" for "wheezy" to "/home/testdir" directory

root@dlp:~#
setfacl -d -m u:wheezy:r-x /home/testdir

root@dlp:~#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:wheezy:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:wheezy:r-x
default:group::---
default:mask::r-x
default:other::---
root@dlp:~#
echo "ACL default setting" > /home/testdir/test.txt

root@dlp:~#
ll /home/testdir/test.txt

-rw-r-----+ 1 root root 20 Jan 31 22:32 /home/testdir/test.txt

# try to access with "wheezy"

wheezy@dlp:~$
cat /home/testdir/test.txt

ACL default setting
# it can read normally
[6] Remove default ACL
root@dlp:~#
setfacl -k /home/testdir

root@dlp:~#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:wheezy:r-x
group::---
mask::r-x
other::---
[7] Set ACL from a configration file
# create a configuration file for ACL

# if there is ACL you'd like to set on other system, there is a way to export with "getfacl" command

root@dlp:~#
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:wheezy:r-x
group::---
mask::r-x
other::---
# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:wheezy:r--
group::---
mask::r--
other::---
root@dlp:~#
setfacl --restore=acl.txt

root@dlp:~#
ll /home

total 16
drwx------. 2 wheezy   wheezy   4096 Jan 31 12:14 wheezy
drwx------  2 fedora fedora 4096 Jan 31 12:14 fedora
drwxr-x---+ 2 root   root   4096 Jan 31 22:32 testdir
-rwxr-----+ 1 root   root     25 Jan 31 21:56 test.txt
 
Tweet