File and directory ACL’s are an interesting part of the RHCE, in terms of something i’d actually never used before in anger.

To really sum it up, you can use unix permissions to control access to a file i.e.:

chmod 750 file
chown sam:users file

To restrict what can be done on “file” (everything by ‘sam’, r-x to the users group, and no access to anyone else). However, if we have multiple groups, scenarios etc this can be a bit clunky and difficult to organise – so we can use ACL’s instead.

Setup

To prepare your partition and file systems for use with ACL’s is rather simple, you just need to add “acl” to /etc/fstab as below:

LABEL="Label001" /temp ext4 defaults,acl 0 0

or you can run the command:

tune2fs -o acl,user_xattr /dev/VG001/LV001

Which serves the same function.

An overview of ACL’s

ACL’s use 2 main commands to view and set information:

  • setfacl – set the ACL’s on a file/directory
  • getfacl – view the ACL’s on a file/directory

setfacl uses a multitude of options to set the permissions, i’ve added a few examples below:

1. Set user “john” to be allowed read access to a file:

 setfacl -m u:john:r-- filename

2. Set group “users” to be allowed read access to all files in a directory, along with any newly created file:

setfacl -m dg:users:r-- directory

3. Set permissions to be deny all by default (— for exmaple):

 setfacl -m o::- directory

4. View ACL’s on the directory:

getfacl directory

 

An example scenario

We have a company that has a development team, a sales team, and managers.

The development team need to be able to create their own files and programs free from sales prying eyes.

The sales team need to be able to create quotes etc without development knowing what is being promised! (bit of tongue in cheek on both here!).

The managers need visiblity to view the files of both teams.

To do this, we need to break them into groups and users:

  • Group: ‘board’  —  Users: ‘bill’
  • Group: ‘dev’  — Users: ‘andy, phil’
  • Group ‘sales’ — Users: ‘sam’

And create the directories:

mkdir sales
mkdir development

Next, we’ll start on the sales folder – that needs to have Read-only access for ‘board’ group users, read/write/execute access for ‘dev’ group users, and no access for sales:

chmod +s development/
setfacl -m d:g:dev:rwx development/
setfacl -m g:dev:rwx development/
setfacl -m g:board:r-x development/
setfacl -m o::- development/

So, what did we actually do?

Firstly, we set the setgid bit so that files created in that folder have the folders group ownership (i.e. if Andy creates a file, it will be “andy:dev” for example, instead of “andy:andy”.

Next, we set the default group permissions – and then set what dev and board group members can do (rwx, and r-x respectively).

Finally, we set the “other” ACL, i.e. the DROP ALL rule in firewall terms. This means that if a user/group match is not found in the rules above, then it hits the “o” rule – in this case, “—“, i.e. you can read, write or execute.

Closing thoughts

There is plenty of other interesting examples with ACL’s, however the above scenarios should see you through the exam and most situations you will come up against in “real life” – whatever that may be.