ACLs finer grained permissions control

There has been more than one time where I have needed to allow more than a user or group access to some files. Also there are times when the group/user that has ownership is just too powerful for the purpose of access.

That is where ACLs come into play. Allowing a finer grained control over access to files and directories.

Caution using ACLs can be confusing at first and if not used properly can allow users access that you may not want.

First things first make sure that you have the ACL tools installed:

Note: I am using Oracle Enterprise Linux as my server so the package you need to install may be different.

# yum install acl

Once the install has been completed the next step is to make sure that your file system is mounted so that you can take advantage of ACLs.

Note: Not all file systems support ACLs please consult the mount options for your file system for clarification.

/dev/mapper/vg_system-lv_storage /storage                ext4    defaults,acl        1 2

 


Provided the file system is not in use:

# mount -o remount

 


In the event that the file system is in use you will need to either reboot, or wait for the file system to free up.

First thing to do is see what the ACL for your location looks like:

# getfacl 
[grim76@tardis /]$ getfacl storage
# file: storage
# owner: root
# group: root
user::rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Notice that this matches up pretty well with what you see from a standard ls -alh:

drwxrwxr-x   4 root root 4.0K Mar 31 21:14 storage

The goal of my exercise is to give my userid full control of a location, but not alter the base permissions that are in place.

Setting my user to have full control of the location:

# setfacl -m u:grim76:rwx /storage

Ok that is setfacl (command used to alter ACLs) -m (Modify) u(user):grim76(user):rwx(permissions) /storage(location).

Now lets look at ls -alh:

drwxrwxr-x+   4 root root 4.0K Mar 31 21:14 storage

 


Doesn't look like anything has changed, but look closer the + sign indicates that there is an ACL in place now.

Lets look at the ACL now:

[grim76@tardis /]$ getfacl storage
# file: storage
# owner: root
# group: root
user::rwx
user:grim76:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Now my user can add files and directories to that location. Problem is if root adds something to this location I won't get permissions to the files or locations.

So I need to change the default ACL behavior for this location:

setfacl -m d:u:grim76:rwx storage

 


Same command as before but with the added d. What this does is modifies the default behavior.

[grim76@tardis /]$ getfacl storage
# file: storage
# owner: root
# group: root
user::rwx
user:grim76:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:grim76:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Notice the defaults section now has changed from the list we saw before.

Now files and directories that are created in that location will apply the ACL to allow my user to have full access.

This is a really simple example of how to use ACLs. These come in really handy for SFTP servers, and other file system access as well.