Friday, July 8, 2011

How to setup ACL

The access control list (ACL) is used to enforce privilege separation. It is a means of determining the appropriate access rights to a given object (such as files ) depending on certain aspects of the process that is making the request.

On file systems the process's user identifier (effective UID) is the principal means of control. 

Why ACL required?
Usually UNIX read, write, execute permission are more than sufficient but in many cases you need to setup a complex permission for accessing files. ACL makes managing permissions quite easy under FreeBSD (and Linux).

Prepare filesystem to use ACL
To use ACLs under FreeBSD, remount filesystem with acls option:

Code:
# mount -o acls -u /usr
However latest version of FreeBSD may not allow you to mount partition due to security settings. Open your /etc/fstab file and modify entry as follows:
Code:
vi /etc/fstab
Now setup acls option, at the end modification should look as follows:
Code:
/dev/ad0s1f             /usr            ufs     rw,acls         2       2
Save and close the file. Reboot FreeBSD:
Code:
# sync;sync
# reboot
Verify that /usr filessystem is mounted with ACLs option:
Code:
# mount
/dev/ad0s1f on /usr (ufs, local, soft-updates, acls)

Task: Set ACL using setfacl
The setfacl utility or command sets or modifies discretionary access control information on the specified file. 

Each ACL is made of 3 tags. It contains colon-separated fields as follows:
tag:qualifier:access-permissions

=> tag field is use to setup user, group or other permission. It can consists of one of
the following
  • u - specifying the access granted to the owner of the file or a specified user
  • g - specifying the access granted to the file owning group or a specified group
  • o - specifying the access granted to any process that does not match any user or group
=> qualifier filed is nothing but user or group name.
=> access-permissions field contains up to one of each of the following:
  • r : set read permission
  • w : set write permission
  • x : set execute permissions

Each of these may be excluded or placed with a '-' character to indicate no access.

In short use following syntax for each group of users to setup ACL:

To setup user/owner ACL
Code:
u:user-name:mode
To setup group ACL
Code:
g:group-name:mode
To setup others ACL
Code:
o:mode
Task: get or display ACL information
Use getfacl command to display ACL information.
Code:
$ getfacl file.txt
#file:file.txt
#owner:1001
#group:1001
user::rw-
group::r--
other::r--

Task: set new ACL for user/owner 
Sets read only permissions for the file called file.txt for owner:
Code:
setfacl -m u::r file.txt
Now see new permission 
Code:
getfacl file.txt
#file:file.txt
#owner:1001
#group:1001
user::r--
group::r--
mask::r--
other::r--

Now Sets read, write, and execute permissions for the file called file.txt for owner:
Code:
setfacl -m u::rwx file.txt
getfacl file.txt
Task: Copy file.txt ACL to file2.txt
Code:
touch file2.txt
getfacl file2.txt
getfacl file.txt
Now copy file.txt ACL to file2.txt:
Code:
getfacl file.txt | setfacl -b -n -M - file2.txt
getfacl file2.txt
There are lots of options available and I will cover them later on.
By at
Labels: