Linux Lab – Access Control Lists

Overview

As you know, Linux has a standard set of file access settings based on the concept of read, write, and execute permissions that determine who may access the file or directory in question. The most common way to set and change these permissions is to use commands like chmod, chown or chgrp. While these are powerful commands and have their place, there are occasions where it may be advantageous to fine tune the access to a file or directory. This is where file access control lists or FACLS come in.

Understanding Access Control list

In short, ACLs allow for the granular adjustment to file or directory permissions where users or groups can have their access added or restricted as necessary. In this lab, we will use the commands, getfacl and setfacl to display or modify ACL permissions. The getfacl command is used to retrieve the configured ACL for a particular file or directory and setfacl is used to create or modify the ACL permissions.

It is not hard to image a list of reasons that might require a more in depth security profile for a file or directory. In order to help you configure the right ACL for your needs, this lab will cover several examples that will walk you through the step-by-step basics of setting permissions using ACLs.

For this guide, we created all of the files, directories, groups, and users beforehand. The important thing is to be careful in testing ACLs on production systems. Jump to the Appendix to review the Lab setup steps.

Configuring Access Control Lists on Linux

Before we change the permissions of a file or directory, we should check the file or directory by using the getfacl command. We can display the current ACL of all the files within the Insurance directory in hr

# getfacl /share/hr/insurance/*
# file: share/hr/insurance/drivers
# owner: root
# group: hr
user::rwx
group::rwx
other::---

# file: share/hr/insurance/life
# owner: root
# group: hr
user::rwx
group::rwx
other::---

# file: share/hr/insurance/medical
# owner: root
# group: hr
user::rwx
group::rwx
other::---

Step-1 – If there are no ACLs on the directory, you will see only the default owner, group and other setting, but no additional permissions. Now, use the setfacl command to give read, write and execute access to the drivers file for the mgmt group.

# setfacl -m g:mgmt:rwx /share/hr/insurance/drivers

The -m flag is used to set or modify the current ACL of the file or directory. Next, g:mgmt is stating the group for which the ACL change will be made. For the file, we have :rwx, which will give the group mgmt read, write and execute privileges to the file /share/hr/insurance/driver. You know an ACL is set from the ‘+‘ sign shown from listing the file. Try this and get the details from getfacl

# ls -l /share/hr/insurance/
-rwxrw----+ 1 root hr 0 Mar 28 14:21 drivers
-rwxr-----. 1 root hr 0 Mar 28 14:21 life
-rwxr-----. 1 root hr 0 Mar 28 14:21 medical

# getfacl /share/hr/insurance/drivers
# file: share/hr/insurance/drivers
# owner: root
# group: hr
user::rwx
group::r--
group:mgmt:rwx
mask::rwx
other::---

Verify Jane, who is in the mgmt group, can only access the drivers file and receives permission denied while attempting to access life or medical

# su - jane
[jane@localhost ~]$ groups
mgmt

[jane@localhost ~]$ cd /share/hr/insurance/
[jane@localhost insurance]$ ls -l
-rwxrwx---+ 1 root hr 0 Mar 28 14:21 drivers
-rwxrwx---. 1 root hr 0 Mar 28 14:21 life
-rwxrwx---. 1 root hr 0 Mar 28 14:21 medical

[jane@localhost insurance]$ echo hello > drivers
[jane@localhost insurance]$ cat drivers 
hello

[jane@localhost insurance]$ echo hello > life
-bash: life: Permission denied
[jane@localhost insurance]$ echo hello > medical 
-bash: medical: Permission denied

If you made a mistake with setting the acl, reset the controls back to their base values using -b or the –remove-all option for setfacl and go back to Step-1 before continuing to Step-2.

# setfacl -b /share/hr/insurance/drivers

Step-2 – Now we will give the mgmt group access to everything under sales/customers. For this, we will use the -R option with setfacl. The -R is for recursive and will cover all files and directories under the main directory set by the path of the command

# setfacl -Rm g:mgmt:rwx /share/sales/customers

———- Incomplete ———-

Appendix: Lab Setup

Create the users and groups for the lab

# groupadd mgmt
# groupadd sales
# groupadd hr
# groupadd tech

# useradd -g mgmt jane
# useradd -g sales sally
# useradd -g tech enola

Add the files, directory structure and set group ownership

# mkdir -p /share/hr/payroll
# mkdir /share/hr/insurance
# mkdir -p /share/IT/workstations/sales
# mkdir -p /share/sales/customers
# mdkir /share/sales/software

# touch /share/sales/software/chrome
# touch /share/sales/customers/ABC /share/sales/customers/XYZ
# touch /share/hr/insurance/life /share/hr/insurance/medical /share/hr/insurance/drivers
# touch /share/IT/workstations/sales/machine1 /share/IT/workstations/sales/machine2

# chmod 770 /share/hr/insurance/* # chgrp -R hr /share/hr # chgrp -R sales /share/sales # chgrp -R tech /share/IT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s