ACL in Filesystem

Share your expert knowledge and show off your skills.
Post Reply
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

ACL in Filesystem

Post by mudasir »

Assalam-o-Alaikum,

Dear Members,

This howto will cover some aspects of using ACL (Access Control List) with Linux file system.

ACL is a special feature of Linux that provides Special File Permission, it works with the FileSystem of Linux. ACL can be used in places or situation where you want to set permission on a file without changing its default permissions. Like for example, if you want a user named "mudasir" to have full access on a file /shared/myfile , and at the same time user named "mubashir" to only have read access, and all other users should not have any access not even read. So in this situation we can use ACL feature to accomplish the task.

With Linux, to work with ACL, the two basic commands are "getfacl" and "setfacl". The underlying file system has to support these commands (because the extended permissions are stored in the file meta-data).

To enable File System ACL feature, the method is as follows.
Step # 1
ACL is a feature of a filesystem, so we need to enable it in the filesystem, to do that we need to make some changes in /etc/fstab file.

1. open the file /etc/fstab (vi /etc/fstab)
2. locate the mount point on which you want to enable ACL (in our case its /shared)
2.a. Before changes (/dev/sda10 /shared default 0 0)
2.b. After changes (/dev/sda10 /shared default,acl 0 0)
3. Now save and exit ( :wq)


Step # 2
Now we need to remount the required partition, to do this we need to execute one simple command

1. # mount -o remount /shared

The above command with remount the partition /shared with new options defined in /etc/fstab
Now our mount point /shared has the ACL feature enabled, we only need to set ACL's according to our need. We will discuss a senario and then we will accomplish the task using ACL feature.

We will Configure the permissions of file "/shared/myfile" so that:
1. The File /shares/myfile is owned by the root user.
2. The File /shared/myfile belongs to the group root.
3. The user mudasir is able to read, write and execute /shared/myfile.
4. The user mubashir is only able to read /shared/myfile.
5. The File /shared/myfile should not be accessable by others in any way possible.

In above senario, we can not use chmod command to accomplish all the tasks, nor we can change the group of users "mudasir" and "mubashir" to group "root", by doing this we will give root level access to both users which we dont want. So to configure user level file permission we will use ACL.

To set ACL, the method is as follows. We will cover the requried tasks one by one.
Implementing ACL

To change the ownership of file "/shared/myfile" to user and group root, we need to execute the following command

Code: Select all

# chown root.root /shared/myfile
Task 1 and 2 are now complete.
Now lets move on to next task the user named "mudasir" should be able to read, write and execute /shared/myfile and user named "mubashir" should only be able to read the file /shared/myfile and all other users should not have any access to file /shared/myfile.

Code: Select all

# setfacl -m u:mudasir:rwx,u:mubashir:r--,o:--- /shared/myfile
This single command will accomplish all the remaining tasks. The user "mudasir" now has full access to /shared/myfile, user "mubashir" now has only read access to /shared/myfile and all other users dont have any access to /shared/myfile.

To see what ACL's are used on any file we can use a simple command

Code: Select all

# getfacl /shared/myfile
I hope this simple howto will help you understand about ACL feature in Linux. This howto shows just a simple use of ACL, ACL can be used in many other different situation.

Please feel free to ask any questions about this small howto.
NOTE:
The procedure followed above is tested and working under RedHat Distribution.
You should be logged in as user "root" to run all the commands.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Post Reply