Security 101 : Access Control Lists (ACL)
Access Control Lists (ACL):
In Unix, file permissions are as follows:
- Access rights for the owner of the file.
- Access rights for the group the file belongs to.
- Access rights for the rest of the users that are not members of the group the file is associated to.
The above system presents certain limitations.
Group permissions help us grant different access rights to different groups of users, but a file can only belong to one group.
When we want to associate a file with a different group of users with different access rights, a new group needs to be created.
A user can switch to a different group he is member of using the command:
The standard Unix access model doesn't lend itself easily to cases where a file for example needs to be "read-only" by one group of users and "readable, writable" by another group of users.
File permissions could be seen as a simple form of the access control list (ACL).
ACL permissions apply to all the objects in the filesystem (files, directories,...).
UFS FreeBSD filesystem and ZFS filesystem support ACLs.
ACLs allow us to have more control over access rights.
We could have different users and different groups with different access rights to the same file for example.
NFSv4 ACL allows the ACL permissions to be shared over the network.
Mounting File Systems:
In order to use ACL on a file, the partition that holds the file must have ACL support.
To be able to do so we mount the filesystem with ACL support.
Mounts the partition /dev/sd2 with ACL support on the mountpoint /home/Albert directory.
we can also add the ACL support in the /etc/fstab file:
NFS and the no_acl option:
We can use the "no_acl" option in the /etc/exports file to disable ACL for an NFS mount.
Access ACLs : applicable to files and directories.
Default ACL: only applicable to directories.
A file without ACL in a directory with default ACL "inherits" the ACL of the directory.
How to configure ACLs (setfacl command):
The setfacl sets the ACLs for files and directories:
-m : to add or modify the ACL.
-x : To remove permissions.
we can have multiple rules separated by a comma for example.
- u:uid:perm : Sets the ACL for a user (username or UID could be used).
- g:gid:perm : Sets the ACL for a group (The group name or GID could be used).
- o:perm : sets the access ACL for the rest users.
- m:perm : Sets ACL mask, it used to give default permission to newly created folders and files.
Perm could be read-only (r--) or read-write (rw-) for example.
Setting the ACL mask:
we can set the mask using:
perm: use the characters "r", "w", and "x" for read, write and execute.
In order to give read and write permissions to the user Albert on /home/Albert :
Removing ACL permissions:
To remove all the permissions for a user, group, or others, use the -x option:
To remove all the permissions from the user with UID 900:
To set a default ACL, add "d:" before the rule and specify the directory.
For example, to set the default ACL for the /home directory to -read-execute- for other users not in the user group, we do the following:
Access ACL for an individual files can override the default ACL for the directory that contains it.
We use the getfacl command to retrieve the ACLs.
We get the below output:
If a directory has default ACL , the default ACL are also displayed
We also have a user "Tom" with read rights.