Linux Security 101 : Access Control Lists

Access control lists - ACLs - give us more options in terms of controlling access to files.

For example, using ACLs, if we want to give access to a file - file1 - for a user -Albert - , we wouldn't have to add the Albert to a group where access to the file file1 and to other files is permitted, or create a new group that has access to file1 and add the user Albert to it.

But using the "classical" method, we would have to create a new group that gives access to that file1 and add Albert to it.

Using ACLs:

To be able to use ACL, we would need to mount the partition - /dev/sda1 - with the acl option enabled as we see below - we have a choice between using mount or tune2fs -:

We check that using the below command:

ACL types:

Access ACL: give access to files and directories
Default ACL: could only be used with directories, it decides the access right for all the objects under a directory - each object inherits the ACL of its parent directory -.

Managing ACLs - setfacl - :

To create or modify ACLs, we use the command - setfacl - as below:

The below command modifies the ACLs of the file file_name for the user Albert giving him - read, write, and exec - rights over the file filename:

To give permission - read and write -for a whole group - marketing - we use the below command:

To give "others" - not members of the file's group - read rights, we use the below command:

To restrict permissions, we use the effective mask which works like the "umask" that is applied for the regular permissions:

The above mask prevents the users of the file_name from operations other the - read and write -.

The mask represents the "maximum" permission allowed for a file.

Remark:

The ACL to which the mask has been applied are called "effective".

Default ACLs:

If we want all the files in a directory to be readable and executable by the members of the marketing group for example, we use the below command - the "d" parameter is used for the default ACLs -: