Access Control Lists

From ArchWiki
Revision as of 14:21, 30 June 2008 by Johny (Talk | contribs) (Initial edition)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

[b]A[/b]ccess [b]C[/b]ontroll [b]L[/b]ist provides additional, more flexible permission mechanism to file system. ACL assistance with unix basis file permission. ACL file system allow you to give permissions for any user or group to any disc resource.

Installation

ACL is available from the /core repositories:

# pacman -S acl

Configuration

Enabling ACL

To enable ACL - edit /etc/fstab file and add acl attribute in options on the partition which you want to use ACL:

# 
# /etc/fstab: static file system information
#
# <file system>        <dir>         <type>    <options>          <dump> <pass>
none                   /dev/pts      devpts    defaults            0      0
none                   /dev/shm      tmpfs     defaults            0      0

/dev/cdrom /media/cdrom   auto    ro,user,noauto,unhide   0      0
/dev/dvd /media/dvd   auto    ro,user,noauto,unhide   0      0
UUID=5de01fca-7c63-49b0-9b2b-8b1790f8428e swap swap defaults 0 0
UUID=822dd720-e35f-424c-b012-2c84b4aa265a /data reiserfs defaults 0 1
UUID=8e5259dd-26fc-411a-88e2-f38d4dc36724 /home reiserfs defaults,acl 0 1
UUID=c18f753e-0039-49bd-930f-587d48b7e083 / reiserfs defaults 0 1
UUID=f64bfc77-7958-49c5-a244-1fa2517d676f /tmp reiserfs defaults 0 1

Save the file. Remount partition:

# mount -o remount /home

Set ACL

To modify ACL use setfacl command. To add permissions use setfacl -m'.

Add permissions to some user:

# setfacl -m "u:username:permissions"

or

# setfacl -m "u:uid:permissions"

Add permissions to some group:

# setfacl -m "g:groupname:permissions"

or

# setfacl -m "g:gid:permissions"

Remove all permissions:

# setfacl -b

Remove each entry:

# setfacl -x "entry"

To check permissions use:

# getfacl filename

Examples

Set all permissions for user johny to file named "abc":

# setfacl -m "u:johny:rwx" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user johny:

# setfacl -m "u:johny:r-x" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:r-x
group::r--
mask::r-x
other::r--

Remove all extended ACL entries:

# setfacl -b abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Increase security of your web server

You can now add permissions to our home directory or/and site directory only to nobody user any anyone else - without "whole world" to increase your security.

Go to the home directory:

# cd /home

Add permissions +x for nobody user on your home directory via ACL:

# setfacl -m "u:nobody:--x" homeusername/

Now you can remove whole world rx permissions:

# chmod o-rx homeusername/

Check our changes:

# file: username/
# owner: username
# group: users
user::rwx
user:nobody:--x
group::r-x
mask::r-x
other::---

As we can see others don't have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - don't have any permissions.