Objective:
ACL, or Access Control Lists are special permissions. Linux file system by using standard file permission is User, Group, and Other Level. Further, having permissions in form of Write, Read, and Execute. Of course, it will work in maximum situations, but sometimes users can require additional permissions. Here comes the role of ACL. Consider Bob is from the Sales department, but he wants access to a file from the Finance department. Now, the general file permission structure will not work here. The finance department would no like to expose all files other than the desired one. We can grant special permissions with the help of ACLs. Standard permissions can work for a single user or single group, but to add extra users to any file system from a different group, ACL us required. Today we will learn How to create and Mange File System Access Control List.
Understand ACL in practical:
In this scenario, we would be using Ubuntu 20.04 LTS. Before starting let’s verify whether ACLs are supported at kernel level or not in our OS?
List Kernel level support of ACLs.
ubnt@ubnt:~$ uname -r 5.4.0-53-genericFirst, check kernel version.
Grep ACL supported file systems lists.
ubnt@ubnt:/boot$ grep ACL /boot/config-$(uname -r)
Out put
CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_SHIFT_FS_POSIX_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_JFFS2_FS_POSIX_ACL=y CONFIG_EROFS_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CEPH_FS_POSIX_ACL=y CONFIG_9P_FS_POSIX_ACL=y
Here, Y means that ACL is directly compiled into the Linux kernel. Whereas, m means a loadable module.
Set default ACL permissions.
Let’s create a directory first.
root@ubnt:~# mkdir acldemo
Have a look before setting ACL permissions, only single users permissions are visible.
root@ubnt:~# getfacl acldemo/
Defile ACL rule so that any file created under acldemo will be with no permission at other level.
root@ubnt:~# setfacl -m d:o:--- acldemo
Where, -m stands for modified, d: directory, o: others, and no permission to others is defined for acldemo direct
root@ubnt:~# getfacl acldemo/
root@ubnt:~/acldemo# touch test
Hereditary is sustained. Can see same permisson with file even. Here, let's give additonal access permission to a user e.g. 'raj'
root@ubnt:~# setfacl -dm u:raj:rwx acldemo
Have a look if raj user have access or not.
root@ubnt:~# getfacl acldemo/
Remove ACL entries.
User’s special access can be removed using -x and -b option with setfacl.
Let’s remove ACL permission for user ‘raj’
root@ubnt:~# setfacl -x u:raj acldemo/
Remove ACL records.
root@ubnt:~# setfacl -b acldemo/
Have a look, original status regained.
Conclusion:
Additional permissions are always required in a complex working environment. ACL permissions are always helpful to sustain permission but, without compromising any security issue.
Reference: https://help.ubuntu.com/community/FilePermissionsACLs
