Difference between revisions of "Access Control Lists"

From ArchWiki
Jump to: navigation, search
(Initial edition)
 
m (Granting execution permissions for private files to a web server: move notes to the relevant places)
 
(75 intermediate revisions by 31 users not shown)
Line 1: Line 1:
=Introduction=
+
[[Category:Access control]]
[b]A[/b]ccess [b]C[/b]ontroll [b]L[/b]ist provides additional, more flexible permission mechanism to file system. ACL assistance with unix basis file permission. ACL file system allow you to give permissions for any user or group to any disc resource.
+
[[es:Access Control Lists]]
 +
[[ja:アクセス制御リスト]]
 +
[[ru:Access Control Lists]]
 +
[[Wikipedia:Access Control List|Access control list]] (ACL) provides an additional, more flexible permission mechanism for [[file systems]]. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource.
  
=Installation=
+
== Installation ==
ACL is available from the /core repositories:
 
# pacman -S acl
 
  
=Configuration=
+
The {{Pkg|acl}} package is a dependency of [[systemd]], it should already be installed.
  
==Enabling ACL==
+
== Configuration ==
To enable ACL - edit '''/etc/fstab''' file and add ''acl'' attribute in options on the partition which you want to use ACL:
 
  
<pre>
+
=== Enabling ACL ===
#
 
# /etc/fstab: static file system information
 
#
 
# <file system>        <dir>        <type>    <options>          <dump> <pass>
 
none                  /dev/pts      devpts    defaults            0      0
 
none                  /dev/shm      tmpfs    defaults            0      0
 
  
/dev/cdrom /media/cdrom  auto    ro,user,noauto,unhide  0      0
+
To enable ACL, the filesystem must be mounted with the {{ic|acl}} option. You can use [[fstab]] to make it permanent on your system.
/dev/dvd /media/dvd  auto    ro,user,noauto,unhide  0      0
 
UUID=5de01fca-7c63-49b0-9b2b-8b1790f8428e swap swap defaults 0 0
 
UUID=822dd720-e35f-424c-b012-2c84b4aa265a /data reiserfs defaults 0 1
 
UUID=8e5259dd-26fc-411a-88e2-f38d4dc36724 /home reiserfs defaults,acl 0 1
 
UUID=c18f753e-0039-49bd-930f-587d48b7e083 / reiserfs defaults 0 1
 
UUID=f64bfc77-7958-49c5-a244-1fa2517d676f /tmp reiserfs defaults 0 1
 
</pre>
 
  
Save the file. Remount partition:
+
There is a possibility that the {{ic|acl}} option is already active as default mount option on the filesystem. [[Btrfs]] does and Ext2/[[Ext3|3]]/[[Ext4|4]] filesystems do too. 
# mount -o remount /home
+
Use the following command to check ext* formatted partitions for the option:
  
==Set ACL==
+
{{hc|# tune2fs -l /dev/sd''XY'' {{!}} grep "Default mount options:"|
To modify ACL use '''setfacl'' command. To add permissions use '''setfacl -m'''.
+
Default mount options:    user_xattr acl
 +
}}
  
Add permissions to some user:
+
Also check that the default mount option is not overridden, in such case you will see {{ic|noacl}} in {{ic|/proc/mounts}} in the relevant line.
# setfacl -m "u:username:permissions"
 
or
 
# setfacl -m "u:uid:permissions"
 
  
Add permissions to some group:
+
You can set the default mount options of a filesystem using the {{ic|tune2fs -o ''option'' ''partition''}} command, for example:
# setfacl -m "g:groupname:permissions"
 
or
 
# setfacl -m "g:gid:permissions"
 
  
Remove all permissions:
+
  # tune2fs -o acl /dev/sd''XY''
  # setfacl -b
 
  
Remove each entry:
+
Using the default mount options instead of an entry in {{ic|/etc/fstab}} is very useful for external drives, such partition will be mounted with {{ic|acl}} option also on other Linux machines. There is no need to edit {{ic|/etc/fstab}} on every machine.
# setfacl -x "entry"
 
  
To check permissions use:
+
{{Note|
# getfacl filename
+
* {{ic|acl}} is specified as default mount option when creating an ext2/3/4 filesystem. This is configured in {{ic|/etc/mke2fs.conf}}.
 +
* The default mount options are not listed in {{ic|/proc/mounts}}.
 +
}}
  
=Examples=
+
=== Set ACL ===
  
 +
The ACL can be modified using the ''setfacl'' command.
 +
 +
{{Tip|You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the {{ic|--test}} flag.}}
 +
 +
To set permissions for a user ({{ic|''user''}} is either the user name or ID):
 +
# setfacl -m "u:''user:permissions''" <file/dir>
 +
 +
To set permissions for a group ({{ic|''group''}} is either the group name or ID):
 +
# setfacl -m "g:''group:permissions''" <file/dir>
 +
 +
To set permissions for others:
 +
# setfacl -m "other:''permissions''" <file/dir>
 +
 +
To allow all ''newly created'' files or directories to inherit entries from the parent directory (this will not affect files which will be ''copied'' into the directory):
 +
# setfacl -dm "''entry''" <dir>
 +
 +
To remove a specific entry:
 +
# setfacl -x "''entry''" <file/dir>
 +
 +
To remove the default entries:
 +
# setfacl -k <file/dir>
 +
 +
To remove all entries (entries of the owner, group and others are retained):
 +
# setfacl -b <file/dir>
 +
 +
{{Note|The default behavior of ''setfacl'' is to recalculate the ACL mask entry, unless a {{ic|--mask}} entry was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group entries (These are exactly the entries affected by the mask entry).}}
 +
 +
{{Tip|To apply operations to all files and directories recursively, append the {{ic|-R}} argument.}}
 +
 +
=== Show ACL ===
 +
To show permissions, use:
 +
# getfacl <file/dir>
 +
 +
== Examples ==
 
Set all permissions for user johny to file named "abc":
 
Set all permissions for user johny to file named "abc":
 
  # setfacl -m "u:johny:rwx" abc
 
  # setfacl -m "u:johny:rwx" abc
 
Check permissions
 
Check permissions
# getfacl abc
+
{{hc|# getfacl abc|
 
 
<pre>
 
 
# file: abc
 
# file: abc
 
# owner: someone
 
# owner: someone
Line 69: Line 83:
 
mask::rwx
 
mask::rwx
 
other::r--
 
other::r--
</pre>
+
}}
  
 
Change permissions for user johny:
 
Change permissions for user johny:
 
  # setfacl -m "u:johny:r-x" abc
 
  # setfacl -m "u:johny:r-x" abc
 
Check permissions
 
Check permissions
# getfacl abc
+
{{hc|# getfacl abc|
 
 
<pre>
 
 
# file: abc
 
# file: abc
 
# owner: someone
 
# owner: someone
Line 85: Line 97:
 
mask::r-x
 
mask::r-x
 
other::r--
 
other::r--
</pre>
+
}}
  
 
Remove all extended ACL entries:
 
Remove all extended ACL entries:
 
  # setfacl -b abc
 
  # setfacl -b abc
 
Check permissions
 
Check permissions
# getfacl abc
+
{{hc|# getfacl abc|
 
 
<pre>
 
 
# file: abc
 
# file: abc
 
# owner: someone
 
# owner: someone
Line 99: Line 109:
 
group::r--
 
group::r--
 
other::r--
 
other::r--
</pre>
+
}}
 +
 
 +
=== Output of ls command ===
 +
You will notice that there is an ACL for a given file because it will exhibit a {{ic|'''+'''}} (plus sign) after its Unix permissions in the output of {{ic|ls -l}}.
  
=Increase security of your web server=
+
{{hc|$ ls -l /dev/audio|
 +
crw-rw----+ 1 root audio 14, 4 nov.  9 12:49 /dev/audio
 +
}}
  
You can now add permissions to our home directory or/and site directory only to nobody user any anyone else - without "whole world" to increase your security.
+
{{hc|$ getfacl /dev/audio|
 +
getfacl: Removing leading '/' from absolute path names
 +
# file: dev/audio
 +
# owner: root
 +
# group: audio
 +
user::rw-
 +
user:solstice:rw-
 +
group::rw-
 +
mask::rw-
 +
other::---
 +
}}
  
Go to the home directory:
+
== Granting execution permissions for private files to a web server ==
# cd /home
+
The following technique describes how a process like a [[web server]] can be granted access to files that reside in a user's home directory, without compromising security by giving the whole world access.
Add permissions '''+x''' for nobody user on your home directory via ACL:
+
 
  # setfacl -m "u:nobody:--x" homeusername/
+
In the following we assume that the web server runs as the user {{ic|http}} and grant it access to {{ic|geoffrey}}'s home directory {{ic|/home/geoffrey}}.
Now you can remove whole world rx permissions:
+
 
  # chmod o-rx homeusername/
+
The first step is granting execution permissions for the user {{ic|http}}:  
Check our changes:
+
  # setfacl -m "u:http:--x" /home/geoffrey
+
 
<pre># file: username/
+
{{Note|Execution permissions to a directory are necessary for a process to list the directory's content.}}
# owner: username
+
 
# group: users
+
Since the user {{ic|http}} is now able to access files in {{ic|/home/geoffrey}}, others no longer need access:
 +
  # chmod o-rx /home/geoffrey
 +
 
 +
Use {{ic|getfacl}} to verify the changes:
 +
{{hc|$ getfacl /home/geoffrey|
 +
getfacl: Removing leading '/' from absolute path names
 +
# file: home/geoffrey
 +
# owner: geoffrey
 +
# group: geoffrey
 
user::rwx
 
user::rwx
user:nobody:--x
+
user:http:--x
 
group::r-x
 
group::r-x
 
mask::r-x
 
mask::r-x
 
other::---
 
other::---
</pre>
+
}}
As we can see others don't have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - don't have any permissions.
+
 
 +
As the above output shows, {{ic|other}}'s no longer have any permissions, but the user {{ic|http}} is still able to access the files, thus security might be considered increased.
 +
 
 +
{{Note|One may need to give write access for the user {{ic|http}} on specific directories and/or files:
 +
# setfacl -dm "u:http:rwx" /home/geoffrey/project1/cache
 +
}}
 +
 
 +
== See also ==
 +
 
 +
* {{man|1|getfacl}}
 +
* {{man|1|setfacl}}
 +
* An old but still relevant (and thorough) [http://vanemery.net/Linux/ACL/linux-acl.html guide] to ACL
 +
* [http://unix.stackexchange.com/questions/1314/how-to-set-default-file-permissions-for-all-folders-files-in-a-directory How to set default file permissions for all folders/files in a directory?]

Latest revision as of 17:30, 6 December 2018

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource.

Installation

The acl package is a dependency of systemd, it should already be installed.

Configuration

Enabling ACL

To enable ACL, the filesystem must be mounted with the acl option. You can use fstab to make it permanent on your system.

There is a possibility that the acl option is already active as default mount option on the filesystem. Btrfs does and Ext2/3/4 filesystems do too. Use the following command to check ext* formatted partitions for the option:

# tune2fs -l /dev/sdXY | grep "Default mount options:"
Default mount options:    user_xattr acl

Also check that the default mount option is not overridden, in such case you will see noacl in /proc/mounts in the relevant line.

You can set the default mount options of a filesystem using the tune2fs -o option partition command, for example:

# tune2fs -o acl /dev/sdXY

Using the default mount options instead of an entry in /etc/fstab is very useful for external drives, such partition will be mounted with acl option also on other Linux machines. There is no need to edit /etc/fstab on every machine.

Note:
  • acl is specified as default mount option when creating an ext2/3/4 filesystem. This is configured in /etc/mke2fs.conf.
  • The default mount options are not listed in /proc/mounts.

Set ACL

The ACL can be modified using the setfacl command.

Tip: You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the --test flag.

To set permissions for a user (user is either the user name or ID):

# setfacl -m "u:user:permissions" <file/dir>

To set permissions for a group (group is either the group name or ID):

# setfacl -m "g:group:permissions" <file/dir>

To set permissions for others:

# setfacl -m "other:permissions" <file/dir>

To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):

# setfacl -dm "entry" <dir>

To remove a specific entry:

# setfacl -x "entry" <file/dir>

To remove the default entries:

# setfacl -k <file/dir>

To remove all entries (entries of the owner, group and others are retained):

# setfacl -b <file/dir>
Note: The default behavior of setfacl is to recalculate the ACL mask entry, unless a --mask entry was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group entries (These are exactly the entries affected by the mask entry).
Tip: To apply operations to all files and directories recursively, append the -R argument.

Show ACL

To show permissions, use:

# getfacl <file/dir>

Examples

Set all permissions for user johny to file named "abc":

# setfacl -m "u:johny:rwx" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user johny:

# setfacl -m "u:johny:r-x" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:r-x
group::r--
mask::r-x
other::r--

Remove all extended ACL entries:

# setfacl -b abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Output of ls command

You will notice that there is an ACL for a given file because it will exhibit a + (plus sign) after its Unix permissions in the output of ls -l.

$ ls -l /dev/audio
crw-rw----+ 1 root audio 14, 4 nov.   9 12:49 /dev/audio
$ getfacl /dev/audio
getfacl: Removing leading '/' from absolute path names
# file: dev/audio
# owner: root
# group: audio
user::rw-
user:solstice:rw-
group::rw-
mask::rw-
other::---

Granting execution permissions for private files to a web server

The following technique describes how a process like a web server can be granted access to files that reside in a user's home directory, without compromising security by giving the whole world access.

In the following we assume that the web server runs as the user http and grant it access to geoffrey's home directory /home/geoffrey.

The first step is granting execution permissions for the user http:

# setfacl -m "u:http:--x" /home/geoffrey
Note: Execution permissions to a directory are necessary for a process to list the directory's content.

Since the user http is now able to access files in /home/geoffrey, others no longer need access:

# chmod o-rx /home/geoffrey

Use getfacl to verify the changes:

$ getfacl /home/geoffrey
getfacl: Removing leading '/' from absolute path names
# file: home/geoffrey
# owner: geoffrey
# group: geoffrey
user::rwx
user:http:--x
group::r-x
mask::r-x
other::---

As the above output shows, other's no longer have any permissions, but the user http is still able to access the files, thus security might be considered increased.

Note: One may need to give write access for the user http on specific directories and/or files:
# setfacl -dm "u:http:rwx" /home/geoffrey/project1/cache

See also