Sunday, January 31, 2010

Further control of Linux files with ACL

If you read my article “Get to know Linux: File permissions” you know that it’s possible, out of the box, to control who can access a file and what they can do with it. This helps to make Linux a fairly secure system.

But did you know you can take even further control of that system with the help of Access Control Lists?

Access Control Lists allow you to provide different levels of access to files and folders. Say, for instance, user jlwallen creates a file but doesn’t want to allow anyone to do anything with this file but he and another user, wookie (even though there are other users that belong to the group jlwallen).

ACL can handle this task.
In this article you will learn how to install and use ACL to further enchance your file permissions on a Linux system.


Installation
Let’s install ACL on a Ubuntu system. Since this is a command line tool, we’ll do the installation from the command line. And since ACL will be found in the standard repository, you won’t have to monkey with your /etc/apt/sources.list file.

From the command line enter the following:


# sudo apt-get install acl

Type your user password, hit the Enter key and the install, and the installation will begin and end fairly quickly.

You are now ready to start with ACL.


Using ACL
Before you use the commands for ACL you actually have to mount your partition such that ACL is available.

By default this is not the case. In order to set this you have to edit your /etc/fstab file. Open that file up and look for the line that mounts your data partition.

In my case, this line is:

UUID=c7812a34-3ec1-4451-aace-02d122b6c454 /   ext4  errors=remount-ro 0 1

You need to edit this line to look something like:

UUID=c7812a34-3ec1-4451-aace-02d122b6c454 /   ext4 errors=remount-ro,acl 0 1

After you make this edit, save the file and then either issue the command:


# sudo mount -o remount,acl /

or reboot your machine.

There are two commands you will use for ACL:
  • setfacl – Set file access control list.
  • getfacl – Get file access control list.
You can probably guess that the first command sets the the ACL and the second lists the ACL for the file.


Using ACL
So let’s say you have the file test and you want only two users on your system to be able to read that file, jlwallen and wookie.

You want to exclude all users in the group jlwallen as well.  What you want to do is use the setfacl command like so (as the user jlwallen):

# setfacl -m u:wookie:rw- test

Now when you run the command:


# getfacl test

you will see something like:


# file: test
# owner: jlwallen
# group: jlwallen
user::rw-
user:wookie:rw-
group::r–
mask::rw-
other::r–

As you can see both users jlwallen and wookie can read and write to the file test, whereas all others can only read the file.

You can verify that a file has had ACL modifications done to it by using the ls command like so:


# ls -l test

which should produce results like:


-rw-rw-r–+ jlwallen jlwallen

What gives this away is the “+” character.


Final thoughts
Although this is just a cursory glance as using ACL, it will get you started with gaining even further control of the security of your Linux files. We’ll revisit ACL later and take the security of Linux files even further.

No comments:

Post a Comment