dcsimg

Linux File Security Training at the ACLU

If user and group management has you in a quandary, it's time to take the advanced filesystem security class at the ACLU.

A couple of weeks ago you learned some user and group management basics with “User and Group Management 101.” This week you’re entering the Access Control List University (ACLU) for an overview of advanced user and group management through the use of access control lists (ACLs).

ACLs don’t negate standard user and group management; they enhance it by expanding and simplifying complex permissions needs. User and group management, including ACLs, can fill an entire book so this introduction attempts to whet your appetite for a more in-depth investigation and isn’t meant to provide a treatise on the topic.

Before starting the tutorial, make sure that you have the acl package installed on your system. Check by issuing the getfacl command at a prompt. You should see a message similar to the following:

$ getfacl

Try `getfacl --help' for more information.

You likely have acl installed, if you receive a response other than, “command not found.” If you find that acl isn’t installed on your system, install it via your system’s package manager.

Back Story

The permissions that you’re familiar with are of the u, g, o and rwx types. You view these permissions with ls -l and change them with the chmod command. In ACL terminology, these are known as the “minimal” access control list. Entries beyond this minimal list are known as the extended access control list. The Extended ACL shows permissions not shown in standard ls -l file listings. The file below only shows the typical ugo and rwx type permissions.

$ ls -l file.txt

-rw-r--r-- 1 root root 6 Apr 23 17:38 file.txt

Through standard commands, you only see the minimal ACL. And, for most files, this is enough information. Even the most restricted files only show minimal ACLs because they only have minimal ACLs. Examples, as shown in upcoming sections, are /etc/passwd and /etc/shadow.

It’s a subtle change but for files with extended ACLs, you’ll notice a “+” in the 11th bit position. You can see this with the long list command.

$ ls -l file2.txt

-rw-rw-r--+ 1 root root 6 Apr 23 17:38 file2.txt

GETFACL

The /usr/bin/getfacl (get file access control lists) program displays minimal ACLs and extended ACLs. As a comparative example, look at the two files simultaneously.

$ getfacl *

# file: file1.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

# file: file2.txt
# owner: root
# group: root
user::rw-
user:khess:rw-
group::r--
mask::rw-
other::r--

As you can see, user khess has read and write permission as a user owner for file2.txt. The root user and user khess have full control of file2.txt.

For some administrators, the default getfacl view isn’t particularly easy to read. There is a tabular view that gives you a clearer presentation of extended ACLs.

$ getfacl --tabular *

# file: file1.txt
USER   root      rw-
GROUP  root      r--
other            r--

# file: file2.txt
USER   root      rw-
user   khess     rw-
GROUP  root      r--
mask             rw-
other            r--

Not only does this view present the extended permissions in a tabular format, it also makes a distinction between original owner (ALL CAPS) and extended ownership (lower case). From the example above, the root user is the original owner, shown as: USER root rw-. And, khess is the extended owner: user khess rw-.

SETFACL

Files aren’t created with extended permissions or ACLs; they’re added later. It is the setfacl program that sets those extended permissions for you. The syntax for setfacl is a little tricky but once you see its madness in action, you’ll catch on to its method.

For each of the setfacl examples, you’ll have the setfacl command presented to you and then the getfacl results of that command. You can set ACL permissions by using the setfacl in the following ways:

Modify (-m) the ACL for file2.txt, setting user khess with read and write access.

$ sudo setfacl -m user:khess:rw file2.txt

$ getfacl file2.txt

# file: file2.txt
# owner: root
# group: root
user::rw-
user:khess:rw-
group::r--
mask::rw-
other::r--

Add another user, robert, to the ACL for file2.txt.

$ sudo setfacl -m user:robert:rw file2.txt

$ getfacl file2.txt

# file: file2.txt
# owner: root
# group: root
user::rw-
user:khess:rw-
user:robert:rw-
group::r--
mask::rw-
other::r--

After some consideration, it’s decided that user robert doesn’t need write access to file2.txt. Instead of removing his access and then reinstating it, you can modify (-m) his access.

$ sudo setfacl -m user:robert:r file2.txt

$ getfacl file2.txt

getfacl file2.txt
# file: file2.txt
# owner: root
# group: root
user::rw-
user:khess:rw-
user:robert:r-
group::r--
mask::rw--
other::r--

After much more consideration, it’s found that user robert needs no rights to the file.

$ sudo setfacl -x user:robert file2.txt

$ getfacl file2.txt

getfacl file2.txt
# file: file2.txt
# owner: root
# group: root
user::rw-
user:khess:rw-
group::r--
mask::rw-
other::r--

Here’s a question for you about what you’re seeing in the example above. This file is owned by the root user, however, user khess has read and write access to it through ACLs. Can user khess edit file2.txt? Can the user khess remove the file?

$ echo "I can write to the file" > file2.txt

$ cat file2.txt

I can write to the file

$ rm file2.txt

rm: cannot remove 'file2.txt': Permission denied

User khess can open the file, write to it and save it but not remove the file. Do you know why? If you think it’s file permissions related, then try granting write access to everyone for file2.txt.

$ sudo chmod 666 file2.txt

$ rm file2.txt

rm: cannot remove 'file2.txt': Permission denied

Only the root user has the right to remove the file. Why? Hint: It’s the permissions on the directory in which the file is located. Setting ACLs on directories is the same as setting ACLs on any other file. Remember that directories are files too. Now that you know that user khess can’t remove the files, try the following experiment.

$ sudo setfacl -m user:khess:rwx Filedir

$ getfacl Filedir

# file: Filedir
# owner: root
# group: root
user::rwx
user:khess:rwx
group::r-x
mask::rwx
other::r-x

Now user khess can remove any file within the Filedir directory regardless of ownership.

As an interesting experiment in ACLs, set the permissions on Filedir for user khess as rw. What happens? User khess can’t cd into Filedir even if other has read and execute permissions. The execute permission (x) allows a user to cd into a directory. Extended ACLs take precendence over minimal ACLs. All other users can cd into Filedir.

CHACL

The chacl command is included for IRIX compatibility. The preferred way to change ACLs is to use the setfacl command. It’s assumed that chacl will be deprecated at some point in the future in favor of setfacl. Although, setfacl is preferred, the chacl command offers some compelling shortcuts that are less frustrating than their setfacl counterparts. For example, removing all extended ACLs, which resets access to the original minimal ACL.

$ sudo chacl -B file2.txt 

$ getfacl file2.txt

# file: file2.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

Next week, you’ll dive deeper into ACLs now that the introductory material out of the way.

Is there a topic you’d like covered in the System Administration column? If there is, send me an email and I’ll put your request into the queue.

Comments on "Linux File Security Training at the ACLU"

sash-kan

>Modify (-m) the ACL for file1.txt, setting user khess with read and write access.

but in listing you operate on file2.txt.

khess

Thanks, fixed it.

jsf80238

Good article, thanks for providing it.

i must say that it is a very nice tutotial… like it very much

i must say that it is a very nice tutorial… like it very much

Very clear article about CHACL. Appreciate, if you explain about “mask” specified on setfacl command. Is it derived from the permissions already specifided for (user,group,other) or the permissions specified on mask dictate the permissions for (user,group,other). Is mask and umask are related to each othet, perhaps not? Thanks.

This is one awesome blog post.Thanks Again. Keep writing.

Thank you so much for providing individuals with remarkably marvellous opportunity to check tips from this website. It’s always so pleasant and as well , stuffed with a lot of fun for me personally and my office fellow workers to visit your website on the least three times per week to read through the new issues you will have. Of course, I’m always motivated for the stunning tactics you serve. Selected 2 ideas in this post are easily the most suitable we have had.

Hmm it looks like your blog ate my first comment (it was super long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I too am an aspiring blog writer but I’m still new to the whole thing. Do you have any recommendations for inexperienced blog writers? I’d really appreciate it.

I’ve recently started a web site, the info you offer on this site has helped me tremendously. Thanks for all of your time & work. “A creative man is motivated by the desire to achieve, not by the desire to beat others.” by Ayn Rand.

You completed some good points there. I did a search on the subject and found mainly persons will consent with your blog.

Im thankful for the blog post.Much thanks again.

EvVkaw You might try adding a video or a picture or two

Hello! I could have sworn I’ve been to this blog before but after browsing through some of the post I realized it’s new to me. Anyways, I’m definitely happy I found it and I’ll be book-marking and checking back frequently!

The details talked about in the write-up are a number of the most beneficial available.

Hello! I could have sworn I’ve been to this blog before but after browsing through some of the post I realized it’s new to me. Anyhow, I’m definitely happy I found it and I’ll be bookmarking and checking back frequently!

731637 950806Up to now, you demand to term of hire an absolute truck or van and will also be removal equipments to valuable items plus look at the new destination. From the long run, which finish up with are couple of items except anxiety moreover stress and anxiety. removals stockport 776952

Very few internet sites that take place to become detailed below, from our point of view are undoubtedly well worth checking out.

Please stop by the web-sites we comply with, including this one particular, as it represents our picks through the web.

We came across a cool site that you might appreciate. Take a look should you want.

As a Newbie, I am continuously browsing online for articles that can aid me. Thank you

Very efficiently written article. It will be supportive to anyone who employess it, including me. Keep doing what you are doing – for sure i will check out more posts.

Although sites we backlink to below are considerably not associated to ours, we really feel they may be basically worth a go through, so have a look.

Usually posts some incredibly exciting stuff like this. If you are new to this site.

Always a large fan of linking to bloggers that I really like but do not get lots of link adore from.

One of our guests a short while ago advised the following website.

“I do not even know how I ended up here, but I thought this post was good. I don??™t know who you are but definitely you??™re going to a famous blogger if you aren??™t already Cheers!”

That is the finish of this post. Here you will uncover some sites that we think you?ll appreciate, just click the links.

Check beneath, are some totally unrelated internet sites to ours, however, they may be most trustworthy sources that we use.

Awesome blog post.Thanks Again. Great.

Please go to the web sites we stick to, including this a single, because it represents our picks in the web.

We came across a cool web site that you may well delight in. Take a appear should you want.

Here are some links to internet sites that we link to due to the fact we think they may be worth visiting.

You are my inspiration, I own few web logs and often run out from brand :). “‘Tis the most tender part of love, each other to forgive.” by John Sheffield.

It’s in fact very complex in this active life to listen news on TV, so
I just use internet for that reason, and get the newest news.

Here is a superb Weblog You might Uncover Exciting that we encourage you to visit.

Below you?ll obtain the link to some internet sites that we think you ought to visit.

Very couple of internet sites that transpire to become comprehensive beneath, from our point of view are undoubtedly properly really worth checking out.

Although internet websites we backlink to below are considerably not connected to ours, we feel they are really worth a go as a result of, so have a look.

We like to honor numerous other web web-sites around the web, even if they aren?t linked to us, by linking to them. Beneath are some webpages really worth checking out.

The time to read or stop by the subject material or internet sites we’ve linked to beneath.

Below you will obtain the link to some web pages that we feel you must visit.

Here are some links to web pages that we link to due to the fact we assume they’re worth visiting.

Always a huge fan of linking to bloggers that I appreciate but don?t get quite a bit of link like from.

Usually posts some pretty exciting stuff like this. If you are new to this site.

Below you will uncover the link to some sites that we feel you’ll want to visit.

Thanks for all your efforts that you have put in this. very interesting info .

Below you?ll obtain the link to some web-sites that we think you must visit.

Here are some links to web sites that we link to due to the fact we believe they are really worth visiting.

Please pay a visit to the sites we comply with, like this 1, as it represents our picks through the web.

Leave a Reply