Back to normal view: https://oracle-base.com/articles/linux/linux-access-control-lists

Linux Access Control Lists (ACLs)

This article covers the creation and management of Access Control Lists (ACLs) on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.

Remember, the exams are hands-on, so it doesn't matter which method you use to achieve the result, so long as the end product is correct.

The basic file permissions allow control over read, write and execute for the file owner, the owning group and all other users. In many cases this is all you need, but sometimes you need to customize permissions for multiple users and groups, which can not be done using the basic permissions system. In these cases, ACLs provide an extra level of control and flexibility.

Enable ACLs for a Volume

Check to see if ACLs are currently enabled on the volume. The presence of the "(rw)" string without "acl" in it suggests they are not.

# mount -l -t ext4
/dev/mapper/vg_rhce1-lv_root on / type ext4 (rw)
/dev/vda1 on /boot type ext4 (rw)
#

Edit the "/etc/fstab" file, adding "acl" to the options for the root file system. The following text shows the initial setting and the altered line.

# Before
/dev/mapper/vg_rhce1-lv_root /                       ext4    defaults        1 1

# After
/dev/mapper/vg_rhce1-lv_root /                       ext4    defaults,acl        1 1

Remount the file system for the change to take effect. The "(rw,acl)" text shows the volume now supports ACLs.

# mount -o remount /
# mount -l -t ext4
/dev/mapper/vg_rhce1-lv_root on / type ext4 (rw,acl)
/dev/vda1 on /boot type ext4 (rw)
#

User ACLs

The getfacl command lists the current permissions for a specified file or directory. The example below shows the basic permissions on a new file.

# cd /root
# touch test.txt
# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

#

The "setfacl -m" command is used to control the permissions on files and directories. User level permissions are set using the "u:username:permisisons" format. The following example sets the "rwx" permissions on the file for the user "oracle". Notice the new user entry in the permissions list.

# setfacl -m u:oracle:rwx test.txt
# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
user:oracle:rwx
group::r--
mask::rwx
other::r--

#

The specific user entry is removed using the "-x" option. Notice the user entry has now been removed.

# setfacl -x u:oracle test.txt
# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
mask::rwx
other::r--

#

Group ACLs

Group permissions are also set using the "setfacl -m" command, but this time we use the "g:groupname:permisisons" format. In the following example we give the "apache" group "rx" permissions on the file. Notice the new group entry in the permissions list.

# setfacl -m g:apache:rx test.txt
# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
group:apache:r-x
mask::rwx
other::r--

#

The permission is removed using the "-x" option.

# setfacl -x g:apache test.txt
# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
mask::rwx
other::r--

#

Miscellaneous

Like most Linux command, setfacl comes with a wide variety of flags to alter its behaviour. You should take a look at the man pages to familiarise yourself with them. Further usage examples are given at the bottom of the man page.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.

Back to normal view: https://oracle-base.com/articles/linux/linux-access-control-lists