Linux Security 101 : Access Control Lists - ACLs -
Access control lists - ACLs - give us more options in terms of controlling access to files.
For example, using ACLs, if we want to give access to a file - file1 - for a user -Albert - , we wouldn't have to add the Albert to a group where access to the file file1 and to other files is permitted, or create a new group that has access to file1 and add the user Albert to it.
But using the "classical" method, we would have to create a new group that gives access to that file1 and add Albert to it.
To be able to use ACL, we would need to mount the partition - /dev/sda1 - with the acl option enabled as we see below - we have a choice between using mount or tune2fs -:
We check that using the below command:
- Access ACL: give access to files and directories
- Default ACL: could only be used with directories, it decides the access right for all the objects under a directory - each object inherits the ACL of its parent directory -.
To create or modify ACLs, we use the command - setfacl - as below:
The below command modifies the ACLs of the file file_name for the user Albert giving him - read, write, and exec - rights over the file filename:
To give permission - read and write -for a whole group - marketing - we use the below command:
To give "others" - not members of the file's group - read rights, we use the below command:
To restrict permissions, we use the effective mask which works like the "umask" that is applied for the regular permissions:
The above mask prevents the users of the file_name from operations other the - read and write -.
The mask represents the "maximum" permission allowed for a file.
The ACL to which the mask has been applied are called "effective".
If we want all the files in a directory to be readable and executable by the members of the marketing group for example, we use the below command - the "d" parameter is used for the default ACLs -:
Modifying, deleting and removing ACLs:
To modify the ACLs - read and write - recursively in a directory for the marketing group, we use the below command:
Deleting the ACL rules of the file_name for the user Albert:
Removing ACLs from the file file_name:
To display the ACLs of the file file1, we use the below command:
We could see if a file uses ACLs if we see a "+" sign next to the traditional permissions: