Difference between revisions of "Access Control Lists"

From ArchWiki
Jump to: navigation, search
m (Additional Resources: > See also)
m (See also: use Template:man)
 
(13 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
 +
[[ja:アクセス制御リスト]]
 
[[ru:Access Control Lists]]
 
[[ru:Access Control Lists]]
 
'''A'''ccess '''C'''ontrol '''L'''ist (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with <code>UNIX</code> file permissions. ACL allows you to give permissions for any user or group to any disc resource.
 
'''A'''ccess '''C'''ontrol '''L'''ist (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with <code>UNIX</code> file permissions. ACL allows you to give permissions for any user or group to any disc resource.
Line 13: Line 14:
 
To enable ACL, the filesystem must be mounted with the {{ic|acl}} option. You can use [[fstab]] to make it permanent on your system.
 
To enable ACL, the filesystem must be mounted with the {{ic|acl}} option. You can use [[fstab]] to make it permanent on your system.
  
There is a big chance that the {{ic|acl}} option is already active as default mount option of your filesystem. Use the following command to check it:
+
There is a possibility that the {{ic|acl}} option is already active as default mount option on the filesystem. [[Btrfs]] does and possibly ext filesystems do too.  Use the following command to check ext* formatted partitions for the option:
  
 
{{hc|# tune2fs -l /dev/sd''XY'' <nowiki>|</nowiki> grep "Default mount options:"|
 
{{hc|# tune2fs -l /dev/sd''XY'' <nowiki>|</nowiki> grep "Default mount options:"|
Line 33: Line 34:
  
 
=== Set ACL ===
 
=== Set ACL ===
To modify ACL use {{ic|setfacl}} command. To add permissions use {{ic|setfacl -m}}.
 
  
Add permissions to some user:
+
The ACL can be modified using the ''setfacl'' command.
# setfacl -m "u:username:permissions"
+
or
+
# setfacl -m "u:uid:permissions"
+
  
Add permissions to some group:
+
To add permissions for a user ({{ic|''user''}} is either the user name or ID):
  # setfacl -m "g:groupname:permissions"
+
  # setfacl -m "u:''user:permissions''" <file/dir>
or
+
# setfacl -m "g:gid:permissions"
+
  
Remove all permissions:
+
To add permissions for a group ({{ic|''group''}} is either the group name or ID):
  # setfacl -b
+
  # setfacl -m "g:''group:permissions''" <file/dir>
  
Remove each entry:
+
To allow all files or directories to inherit ACL entries from the directory it is within:
  # setfacl -x "entry"
+
  # setfacl -dm "''entry''" <dir>
  
To check permissions use:
+
To remove a specific entry:
 +
# setfacl -x "''entry''" <file/dir>
 +
 
 +
To remove all entries:
 +
# setfacl -b <file/dir>
 +
 
 +
=== Show ACL ===
 +
To show permissions, use:
 
  # getfacl filename
 
  # getfacl filename
  
Line 114: Line 116:
 
}}
 
}}
  
== Increase security of your web server ==
+
== Granting execution permissions for private files to a Web Server ==
You can now add permissions to our home directory and/or site directory only to nobody user any anyone else - without "whole world" to increase your security.
+
The following technique describes how a process like a web server can be granted access to files that reside in a user's home directory, without compromising security by giving the whole world access.
 +
 
 +
In the following we assume that the web server runs as the user {{ic|webserver}} and grant it access to {{ic|geoffrey}}'s home directory {{ic|/home/geoffrey}}.
 +
 
 +
The first step is granting execution permission to {{ic|webserver}} so it can access {{ic|geoffrey}}'s home:
 +
# setfacl -m "u:webserver:--x" /home/geoffrey
 +
''Remember'': Execution permissions to a directory are necessary for a process to list the directory's content.
 +
 
 +
 
 +
Since {{ic|webserver}} is now able to access files in {{ic|/home/geoffrey}}, {{ic|other}} no longer needs access, so it can be safely removed:
 +
# chmod o-rx /home/geoffrey
  
Add permissions '''+x''' for nobody user on your home directory via ACL:
+
{{ic|getfacl}} can be used to verify the changes:
  # setfacl -m "u:nobody:--x" /home/homeusername/
+
  $ getfacl /home/geoffrey
Now you can remove whole world rx permissions:
+
getfacl: Removing leading '/' from absolute path names
# chmod o-rx /home/homeusername/
+
  # file: home/geoffrey
Check our changes:
+
  # owner: geoffrey
+
  # group: geoffrey
  # file: username/
+
  # owner: username
+
  # group: users
+
 
  user::rwx
 
  user::rwx
  user:nobody:--x
+
  user:webserver:--x
 
  group::r-x
 
  group::r-x
 
  mask::r-x
 
  mask::r-x
 
  other::---
 
  other::---
  
As we can see others do not have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - do not have any permissions.
+
As the above output shows, {{ic|other}}'s no longer have any permissions, but {{ic|webserver}} still is able to access the files, thus security might be considered increased.
  
 
== See also ==
 
== See also ==
  
* Man Page - {{ic|man getfacl}}
+
* {{man|1|getfacl}}
* Man Page - {{ic|man setfacl}}
+
* {{man|1|setfacl}}
 +
* An old but still relevant (and thorough) [http://www.vanemery.com/Linux/ACL/linux-acl.html guide] to ACL

Latest revision as of 19:39, 13 September 2016

Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.

Installation

The required package acl is a dependency of systemd, it should already be installed.

Configuration

Enabling ACL

To enable ACL, the filesystem must be mounted with the acl option. You can use fstab to make it permanent on your system.

There is a possibility that the acl option is already active as default mount option on the filesystem. Btrfs does and possibly ext filesystems do too. Use the following command to check ext* formatted partitions for the option:

# tune2fs -l /dev/sdXY | grep "Default mount options:"
Default mount options:    user_xattr acl

Also check that the default mount option is not overridden, in such case you will see noacl in /proc/mounts in the relevant line.

You can set the default mount options of a filesystem using the tune2fs -o option partition command, for example:

# tune2fs -o acl /dev/sdXY

Using the default mount options instead of an entry in /etc/fstab is very useful for external drives, such partition will be mounted with acl option also on other Linux machines. There is no need to edit /etc/fstab on every machine.

Note:
  • acl is specified as default mount option when creating an ext2/3/4 filesystem. This is configured in /etc/mke2fs.conf.
  • The default mount options are not listed in /proc/mounts.

Set ACL

The ACL can be modified using the setfacl command.

To add permissions for a user (user is either the user name or ID):

# setfacl -m "u:user:permissions" <file/dir>

To add permissions for a group (group is either the group name or ID):

# setfacl -m "g:group:permissions" <file/dir>

To allow all files or directories to inherit ACL entries from the directory it is within:

# setfacl -dm "entry" <dir>

To remove a specific entry:

# setfacl -x "entry" <file/dir>

To remove all entries:

# setfacl -b <file/dir>

Show ACL

To show permissions, use:

# getfacl filename

Examples

Set all permissions for user johny to file named "abc":

# setfacl -m "u:johny:rwx" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user johny:

# setfacl -m "u:johny:r-x" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:r-x
group::r--
mask::r-x
other::r--

Remove all extended ACL entries:

# setfacl -b abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Output of ls command

You will notice that there is an ACL for a given file because it will exhibit a + (plus sign) after its Unix permissions in the output of ls -l.

$ ls -l /dev/audio
crw-rw----+ 1 root audio 14, 4 nov.   9 12:49 /dev/audio
$ getfacl /dev/audio
getfacl: Removing leading '/' from absolute path names
# file: dev/audio
# owner: root
# group: audio
user::rw-
user:solstice:rw-
group::rw-
mask::rw-
other::---

Granting execution permissions for private files to a Web Server

The following technique describes how a process like a web server can be granted access to files that reside in a user's home directory, without compromising security by giving the whole world access.

In the following we assume that the web server runs as the user webserver and grant it access to geoffrey's home directory /home/geoffrey.

The first step is granting execution permission to webserver so it can access geoffrey's home:

# setfacl -m "u:webserver:--x" /home/geoffrey

Remember: Execution permissions to a directory are necessary for a process to list the directory's content.


Since webserver is now able to access files in /home/geoffrey, other no longer needs access, so it can be safely removed:

# chmod o-rx /home/geoffrey

getfacl can be used to verify the changes:

$ getfacl /home/geoffrey
getfacl: Removing leading '/' from absolute path names
# file: home/geoffrey
# owner: geoffrey
# group: geoffrey
user::rwx
user:webserver:--x
group::r-x
mask::r-x
other::---

As the above output shows, other's no longer have any permissions, but webserver still is able to access the files, thus security might be considered increased.

See also