Access Control by ACL2013/06/05 |
|
Configure ACL(Access Control Lists).
|
|
| [1] | Set ACL For example, set ACL to the file "/home/test.txt". |
|
root@dlp:~#
aptitude -y install acl # after setting ACL, "+" is added on attribute root@dlp:~# ll /home/test.txt -rwxr-----+ 1 root root 5 Jun 6 11:59 /home/test.txt # confirm settings root@dlp:~# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx user:wheezy:r-- group::--- mask::r-- other::--- # try to access with another user fedora@dlp:~$ cat /home/test.txt cat: /home/test.txt: Permission denied # it can not read normally |
| [2] | Set ACL to a directory recursively. |
|
# set r(read) for "wheezy" to "/home/testdir" recursively root@dlp:~# setfacl -R -m u:wheezy:r /home/testdir
ll -laR /home/testdir /home/testdir: total 12 drwxr-----+ 2 root root 4096 Jun 6 14:23 . drwxr-xr-x 6 root root 4096 Jun 6 14:23 .. -rwxr-----+ 1 root root 9 Jun 6 14:23 testfileroot@dlp:~# getfacl -R /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:wheezy:r-- group::--- mask::r-- other::--- # file: home/testdir/testfile # owner: root # group: root user::rwx user:wheezy:r-- group::--- mask::r-- other::--- |
| [3] | Set ACL by group |
|
# set rw(read/write) for "security" group to "/home/test.txt" root@dlp:~# setfacl -m g:security:rw /home/test.txt root@dlp:~# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx group::--- group:security:rw- mask::rw- other::--- # try to access with "wheezy" user who in "security" group wheezy@dlp:~$ echo "test write" >> /home/test.txt wheezy@dlp:~$ cat /home/test.txt ACL test file test write # it can write normally # try to access with a user who in not in "security" group fedora@dlp:~$ echo "test write" >> /home/test.txt -bash: /home/test.txt: Permission denied # it cannot write normally |
| [4] | Remove ACL |
|
# remove ACL only for "fedora" user on "/home/test.txt" root@dlp:~# setfacl -x u:fedora /home/test.txt
|
| [5] | Set default ACL to a directory. If files/directories are created under the directory set default ACL, default access attribute is inherited. But be careful, if you change attribute with "chmod", then ACL would be invalid. |
|
root@dlp:~#
root@dlp:~# setfacl -m u:wheezy:r-x /home/testdir # set default ACL "r-x(read/execute)" for "wheezy" to "/home/testdir" directory root@dlp:~# setfacl -d -m u:wheezy:r-x /home/testdir root@dlp:~# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:wheezy:r-x group::--- mask::r-x other::--- default:user::rwx default:user:wheezy:r-x default:group::--- default:mask::r-x default:other::--- echo "ACL default setting" > /home/testdir/test.txt root@dlp:~# ll /home/testdir/test.txt -rw-r-----+ 1 root root 20 Jan 31 22:32 /home/testdir/test.txt # try to access with "wheezy" wheezy@dlp:~$ cat /home/testdir/test.txt ACL default setting # it can read normally |
| [6] | Remove default ACL |
|
root@dlp:~# setfacl -k /home/testdir root@dlp:~# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:wheezy:r-x group::--- mask::r-x other::--- |
| [7] | Set ACL from a configration file |
|
# create a configuration file for ACL # if there is ACL you'd like to set on other system, there is a way to export with "getfacl" command
root@dlp:~#
vi acl.txt
# file: /home/testdir
# owner: root # group: root user::rwx user:wheezy:r-x group::--- mask::r-x other::---
# file: /home/test.txt
# owner: root # group: root user::rwx user:wheezy:r-- group::--- mask::r-- other::--- setfacl --restore=acl.txt root@dlp:~# ll /home total 16 drwx------. 2 wheezy wheezy 4096 Jan 31 12:14 wheezy drwx------ 2 fedora fedora 4096 Jan 31 12:14 fedora drwxr-x---+ 2 root root 4096 Jan 31 22:32 testdir -rwxr-----+ 1 root root 25 Jan 31 21:56 test.txt |