Access Control Lists
Beyond POSIX permissions
[Link]
Copyright © SUPINFO. All rights reserved
Access Control Lists
Course objectives
By completing this course, you will:
Know what ACL’s really are.
Fine-grained permissions model.
Define complex permission
schemes. When POSIX
permissions are helpless.
Create inherited entries. Using
default ACL’s.
Access Control Lists
Course topics
Course’s plan :
About ACL's. Overcome POSIX
permissions limitations.
ACL structure. How do it looks
like?
Working with ACL's. Create,
Retrieve, Update, Delete.
Access Control Lists
About ACL’s
When POSIX permissions aren’t enough
About ACL’s
Access Control Lists
Extended permission sets.
POSIX Permissions
User
Groups
Others
ACL’s
Same permissions
Extended control set
List of “trustees”
Any group(s)
Any user(s)
About ACL’s
Why use ACL’s ?
A real-life example:
“users” group
Amanda
Bridget
John
John wants to share a
document
Amanda rw-
Bridget ---
POSIX Limitation
Use ACL’s to
circumvent
About ACL’s
Enable ACL’s
ACL support needs to be enabled.
Kernel support
CONFIG_FS_POSIX_
ACL
Enabled in most (all)
distros
Filesystem support
Native support
Most fs do
Mount option
About ACL’s
Enable ACL’s
To enable ACL support:
Install acl and libacl packages
Mount your filesystem with the acl option
# mount / -o remount,acl
About ACL’s
Stop-and-think
Do you have any questions ?
About ACL's
Stop-and-think
ACLs are actived by default in your filesystem.
True
False
About ACL's
Stop-and-think
ACLs are active by default in your filesystem.
True
False
Access Control Lists
ACL structure
How do it looks like?
ACLs structure
ACL Entries
ACL entries format.
Regular
user:user:mode
user:sarah:rw-
group:group:mode
group:uucp:r--
Default
“default” Prefix
default:group:u
ucp:r—
Mask
mask::mode
ACLs structure
ACL Entries
Access Control List example:
$ getfacl [Link]
# file: [Link]
# owner: sarah
# group: users
user::rw-
user:john:rw-
user:bill:rw-
group::r—
group:headquarters:rw-
mask::rw-
other::r—
ACLs structure
Stop-and-think
Do you have any questions ?
Access Control Lists
Working with ACL’s
CRUD on ACL’s
Working with ACL’s
Setfacl invocation
Setting ACL’s
[user@linux ~]$ setfacl [options] file or directory
Options Definitions
-m u:user:mode Add a user ACL
-m g:group:mode Add a group ACL
Apply operations to all files and directories
-R
recursively
-b Remove (blank) all ACL entries
-x aclspec Delete a specific entry
Working with ACL’s
Default ACL’s
Inherited ACL’s.
On directories only
Inherited
New files
New subdirs
Implement a policy
Webmasters
rw- on any file
Prepend “d:” to ACL spec
Working with ACL’s
Mask
Limitative permission set.
Set an arbitrary limit
“No one can have
more than r-x”
Even if trustee has
explicit entry
Effective permission
set: trustee mode
AND mask
Doesn't apply to owner
(as well as ACL’s)
Set: m::mode
Access Control Lists
Effective = Mask & Mode
Permissions
Objects Read Write Execute
User/Group
X X
Mask
X X
Effective X
Access Control Lists
Setfacl examples
root@localhost:~# setfacl -m u:supinfo:rw \
/var/www/[Link]
root@localhost:~# setfacl -m g:labmembers:rw \
/var/www/[Link]
root@localhost:~# setfacl -x u:supinfo \
/var/www/[Link]
root@localhost:~# setfacl -b /var/www/[Link]
root@localhost:~# setfacl -m d:g:webmaster:rw \
/var/www
root@localhost:~# setfacl -m m::rw- /var/www
Working with ACL’s
Getfacl invocation
Using getfacl
[user@linux ~]$ getfacl [options] file or directory
Options Definitions
-a Display the file Access Control List only (no default)
-d Display the default Access Control List only
-R List the ACL of all files and directories recursively
Access Control Listss
Getfacl examples
List the whole ACLs recursively from user’s home:
# getfacl -R /home/user/
Display the file ACL of /var/www:
# getfacl -a /var/www
Display the default ACL of /var/www:
# getfacl -d /var/www
Working with ACL’s
Stop-and-think
Do you have any questions ?
Working with ACL’s
Stop-and-think
Setfacl options: Match options and their definition.
-m Apply recursivly
-b Add ACL entrie
-R Delete all ACLs
Working with ACL’s
Stop-and-think
Setfacl options: Match options and their definition.
-m Apply recursivly
-b Add ACL entrie
-R Delete all ACLs
Access Control Lists
Course summary
Mask
Default ACL’s What are
ACL?
Extended ACL structure
permission
model
Access Control Lists
For more
If you want to go into these subjects more deeply, …
Publications Courses
Linux Technologies: Edge
Computing
Linux system administration
Web sites Conferences
[Link] FOSDEM
[Link] RMLL
[Link] Solutions Linux
Congratulations
You have successfully completed
the SUPINFO course module
n°08
Access Control Lists
Access Control Lists
The end
ACL don’t work without ‘acl’ mount option
Some filesystems don’t have ACL support (vfat,…)