Access control lists:

Access control lists (ACL) can be viewed as an extension to the
conventional Linux discretionary access control (DAC).

When displaying the ACL attributes of a file, we get for example
the below output:


We could see for the above results that the ACL is not set for the
file "file".

Depending on the system, ACL is either set by default or not.

ACL-enabled partitions:

We can check if the ACL is set on a partition "sda1" for example, using the below command, then we check the mount option in the output:


We can set ACL on a partition using :


-o : to introduce then mount options for the partition.

"/etc/fstab" and ACL:

We can set the ACL option in the "/etc/fstab" file as below:


For the changes to take effect, we use the below command to remount the partition with ACL enabled:


An example of ACL:


We can see that the user "debian" has "read" and "write"
rights.
Member of the group "debian-group" can only read the file.

The owner "debian" can give rights for example to "Albert" to "read", "write" and "execute" the file "file_acl" using the below command:


-m: means 'm'odify

We can check the changes using the below command:


We would also need to set the right access permissions for Albert for the directory containing the "
file_acl" fileso that he could see the "file_acl" in the "debiandirectory:


To apply the same rights for a user across a whole directory, we use
the "-R" option as below:


Removing ACL rights:

We could use the below command to remove ACL rights:


The above command deletes the "read" rights of the user Albert on the "file_acl".

We could remove all rights from user Albert using the
below command:


Or we could use the below command to remove all ACL of the file "file_acl" for the user Albert:


Groups and rights:

We could also give "read" and "write" rights to the members of the group "debian-group" for the file "/home/debian/file_acl" for example using the below command:


Setting up rights for "others":

We can give "others", "read" and "write" permissions using the below command:


Setting up reading rights for a directory:

To be able to list the contents of a directory, we can give the
user "Albert" the below rights:


The "ls" command and ACLs:

We know that a file has ACL enabled, when we see "+" sign appended to the (DAC) rights, when we run the "ls" command as below:


ACL masks:

ACL masks limit the rights that could be given to files or directories. 

Example:


The only permissions that could be given using the setfacl
command are "read" or "write" permission.


We can also display the "mask" using the below command:


Brando Sabatini and Ikbal C ©. Powered by Blogger.