Debian 10 Buster
Sponsored Link

Access Control by ACL2019/08/27

 
This is the example to configure ACL (Access Control Lists).
[1] Install ACL tools.
root@dlp:~#
apt -y install acl
[2] To use ACL, it's necessary to use filesystems which can use ACL function like ext2/ext3/ext4 or xfs and also necessary to enable ACL option on those filesystems. For Debian, ACL option is already eanbled by default mount option on devices which are set on initial OS installation.
# show default mount option

root@dlp:~#
tune2fs -l /dev/debian-vg/root | grep "Default mount options"

Default mount options:   user_xattr acl    
# acl option is already added
[3] For the case of devices which is added after OS installation like adding HDD and others, it's necessary to enable ACL option manually. One way is to mount a device with acl option, or for another way is to add ACL option in default mount option.
# mount with acl option to enable ACL

root@dlp:~#
mount -o acl /dev/sdb1 /mnt

root@dlp:~#
mount | grep sdb1

/dev/sdb1 on /mnt type ext4 (rw,acl)
# or add ACL option to default mount option

root@dlp:~#
tune2fs -o acl /dev/sdb1

root@dlp:~#
tune2fs -l /dev/sdb1 | grep "Default mount options"

Default mount options: acl
[4] For how to set ACL,
for example, set ACL to the file [/home/test.txt].
# set r(read) for [debian] user to /home/test.txt

root@dlp:~#
setfacl -m u:debian:r /home/test.txt
# after setting ACL, [+] is added on attribute

root@dlp:~#
ll /home/test.txt

-rwxr-----+ 1 root root 10 Jul 30 10:53 /home/test.txt*

# confirm settings

root@dlp:~#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:debian:r--
group::---
mask::r--
other::---

# try to access with [debian]

debian@dlp:~$
cat /home/test.txt

ACL test file    
# read normally
# try to access with another user

debian@dlp:~$
cat /home/test.txt

cat: /home/test.txt: Permission denied    
# cannot read normally
[5] Set ACL to a directory recursively.
# set r(read) for [debian] to [/home/testdir] recursively

root@dlp:~#
setfacl -R -m u:debian:r /home/testdir
root@dlp:~#
ll -laR /home/testdir

/home/testdir:
total 12
drwxr-----+ 2 root root 4096 Jul 30 11:00 ./
drwxr-xr-x  5 root root 4096 Jul 30 11:00 ../
-rwxr-----+ 1 root root   10 Jul 30 11:00 test.txt*

root@dlp:~#
getfacl -R /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:debian:r--
group::---
mask::r--
other::---

# file: home/testdir/test.txt
# owner: root
# group: root
user::rwx
user:debian:r--
group::r--
mask::r--
other::---
[6] Set ACL by group.
# set rw(read/write) for [security] group to [/home/test.txt]

root@dlp:~#
setfacl -m g:security:rw /home/test.txt

root@dlp:~#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:debian:r--
group::---
group:security:rw-
mask::rw-
other::---

# try to access with [debian] user who in [security] group

debian@dlp:~$
echo "test write" >> /home/test.txt

debian@dlp:~$
cat /home/test.txt

ACL test file
test write    
# write normally
# try to access with a user who in not in [security] group

debian@dlp:~$
echo "test write" >> /home/test.txt

-bash: /home/test.txt: Permission denied    
# cannot write normally
[7] Remove ACL.
# remove ACL from [/home/test.txt]

root@dlp:~#
setfacl -b /home/test.txt
# remove ACL only for [debian] user on [/home/test.txt]

root@dlp:~#
setfacl -x u:debian /home/test.txt
[8] Set default ACL to a directory. If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change attribute with [chmod], then ACL would be invalid.
root@dlp:~#
setfacl -m u:debian:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [debian] to [/home/testdir] directory

root@dlp:~#
setfacl -d -m u:debian:r-x /home/testdir

root@dlp:~#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:debian:r-x
group::---
mask::r-x
other::---

root@dlp:~#
echo "ACL default setting" > /home/testdir/test.txt

root@dlp:~#
ll /home/testdir/test.txt

-rwxr-----+ 1 root root 20 Jul 30 11:06 /home/testdir/test.txt*

# try to access with [debian]

debian@dlp:~$
cat /home/testdir/test.txt

ACL default setting    
# read normally
[9] Remove default ACL.
root@dlp:~#
setfacl -k /home/testdir

root@dlp:~#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:debian:r-x
group::---
mask::r-x
other::---
[10] Set ACL from a configration file.
# create a configuration file for ACL

# if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command

root@dlp:~#
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:debian:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:debian:r--
group::---
mask::r--
other::---

root@dlp:~#
setfacl --restore=acl.txt

root@dlp:~#
ll /home

total 16
drwx------. 2 debian   debian   4096 Jul 30 12:14 debian
drwx------  2 fedora fedora     4096 Jul 30 12:14 fedora
drwxr-x---+ 2 root   root       4096 Jul 30 22:32 testdir
-rwxr-----+ 1 root   root         25 Jul 30 21:56 test.txt
Matched Content