Difference between revisions of "GNU Linux/Permissions/POSIX ACLs"

From WhyAskWhy.org Wiki
Jump to: navigation, search
m (Added another reference.)
m (Added requirements section)
Line 4: Line 4:
  
  
== Summary ==
+
== Requirements for using ACLs ==
  
This page will record my efforts to learn how to use POSIX ACLs. I'm familiar with ACLs used on Windows systems and to a lesser extent Mac OS X (GUI-only), but this is my first foray into POSIX ACLs.
+
* Supported by the filesystem used to store content
 +
* The filesystem is mounted with the <code>acl</code> option
 +
* The appropriate package containing the command-line <code>setfacl</code> and <code>getfacl</code> tools is installed
 +
** ''the package is named <code>acl</code> on Ubuntu''
 +
* Current version of file utils (<code>ls</code>, <code>cp</code>, <code>mv</code>, etc) with support for working with ACLs
  
 +
=== Confirm filesystem is mounted with proper support - <code>tune2fs</code> ===
 +
 +
You can use <code>tune2fs -l /dev/X | grep acl</code> (where X is the device).
 +
 +
<syntaxhighlight lang="bash">
 +
sudo tune2fs -l /dev/sdaX | grep acl
 +
</syntaxhighlight>
 +
 +
<pre>
 +
Default mount options:    user_xattr acl
 +
</pre>
 +
 +
If it's not there, it would need to be added as a mount option for any filesystem that supports ACLs.
 +
 +
=== Confirm Kernel has support built-in <ref name="debianhelp-ACL-config-in-debian" />  ===
 +
 +
Here we're looking in the @/boot/config-2.6.32-73-server@ kernel config file on an Ubuntu 10.04 LTS server to verify that the kernel was built with ACL support for the filesystem(s) that we're using. In our case we're only using Ext4, but as you can see below this kernel includes support for the other filesystems listed in the conf as well.
 +
 +
<syntaxhighlight lang="bash">
 +
$ grep _ACL /boot/config-$(uname -r)
 +
</syntaxhighlight>
 +
 +
<pre>
 +
CONFIG_EXT2_FS_POSIX_ACL=y
 +
CONFIG_EXT3_FS_POSIX_ACL=y
 +
CONFIG_EXT4_FS_POSIX_ACL=y
 +
CONFIG_REISERFS_FS_POSIX_ACL=y
 +
CONFIG_JFS_POSIX_ACL=y
 +
CONFIG_FS_POSIX_ACL=y
 +
CONFIG_XFS_POSIX_ACL=y
 +
CONFIG_OCFS2_FS_POSIX_ACL=y
 +
CONFIG_BTRFS_FS_POSIX_ACL=y
 +
CONFIG_GENERIC_ACL=y
 +
CONFIG_TMPFS_POSIX_ACL=y
 +
CONFIG_NFS_V3_ACL=y
 +
CONFIG_NFSD_V2_ACL=y
 +
CONFIG_NFSD_V3_ACL=y
 +
CONFIG_NFS_ACL_SUPPORT=m
 +
</pre>
  
 
== TODO ==
 
== TODO ==
Line 53: Line 96:
  
 
<ref name="opensuse-acls-linux">[https://doc.opensuse.org/documentation/html/openSUSE_121/opensuse-security/cha.security.acls.html Documentation > Security Guide > Local Security > Chapter 9. Access Control Lists in Linux]</ref>
 
<ref name="opensuse-acls-linux">[https://doc.opensuse.org/documentation/html/openSUSE_121/opensuse-security/cha.security.acls.html Documentation > Security Guide > Local Security > Chapter 9. Access Control Lists in Linux]</ref>
 +
 +
<ref name="debianhelp-ACL-config-in-debian">[http://www.debianhelp.co.uk/acl.htm ACL(Access Control List) Configuration in Debian]</ref>
  
 
</references>
 
</references>
Line 73: Line 118:
 
* https://publib.boulder.ibm.com/tividd/td/TSMC/GC32-0789-04/en_US/HTML/ans5000090.htm
 
* https://publib.boulder.ibm.com/tividd/td/TSMC/GC32-0789-04/en_US/HTML/ans5000090.htm
 
* http://www.vanemery.com/Linux/ACL/linux-acl.html
 
* http://www.vanemery.com/Linux/ACL/linux-acl.html
 +
* http://linux.die.net/man/5/acl
  
 
* https://docs.google.com/document/d/1-US07DZV7eoam1P8ZrTM7UgZF5DQs0Q8NNBAXVAem_Y/edit
 
* https://docs.google.com/document/d/1-US07DZV7eoam1P8ZrTM7UgZF5DQs0Q8NNBAXVAem_Y/edit

Revision as of 11:14, 2 March 2015


Requirements for using ACLs

  • Supported by the filesystem used to store content
  • The filesystem is mounted with the acl option
  • The appropriate package containing the command-line setfacl and getfacl tools is installed
    • the package is named acl on Ubuntu
  • Current version of file utils (ls, cp, mv, etc) with support for working with ACLs

Confirm filesystem is mounted with proper support - tune2fs

You can use tune2fs -l /dev/X | grep acl (where X is the device).

sudo tune2fs -l /dev/sdaX | grep acl
Default mount options:    user_xattr acl

If it's not there, it would need to be added as a mount option for any filesystem that supports ACLs.

Confirm Kernel has support built-in [1]

Here we're looking in the @/boot/config-2.6.32-73-server@ kernel config file on an Ubuntu 10.04 LTS server to verify that the kernel was built with ACL support for the filesystem(s) that we're using. In our case we're only using Ext4, but as you can see below this kernel includes support for the other filesystems listed in the conf as well.

$ grep _ACL /boot/config-$(uname -r)
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_OCFS2_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m

TODO

Explain this:

 setfacl -d -m group:rwx /path/to/your/dir

It appears to be setting the Default ACL for the owning group to rwx (octal 777) for a specific directory. Presumably this means that inheritance would push those settings down to any newly created files/directories.

  • Q: What about existing files?
  • Q: What about existing directories?


Mask

The mask entry further limits the permissions granted by named user, named group, and owning group entries by defining which of the permissions in those entries are effective and which are masked. [2]

  • If permissions exist in one of the mentioned entries as well as the mask, they are effective.
  • Permissions contained only in the mask or only in the actual entry are not effective--meaning the permissions are not granted.
  • All permissions defined in the owner and owning group entries are always effective.


Removing POSIX ACLs

To remove all the permissions for a user, groups, or others, use the following command [3]:

setfacl -x ACL entry type file

For example, to remove all permissions from the user antony:

setfacl -x u:antony /mnt/gluster/data/test-file


References

Directly used

  1. ACL(Access Control List) Configuration in Debian
  2. Documentation > Security Guide > Local Security > Chapter 9. Access Control Lists in Linux
  3. Support > Product Documentation > Red Hat Storage > 2.0 > Administration Guide > 9.5.3. Removing POSIX ACLs

Queued up