Sunday, 9 February 2014

Configure ACL in Linux

Configure ACL in Linux

ACL is extended set of permissions on files and directories that give advanced security when needed. For example you can set different permission for different user on a single file or directory. Two commands control ACLs: getfacl and setfacl. When you use the ls -l or ll command, a plus sign (+) on the side of the permission indicates ACL permission.

Step 1.  Before you can even use ACLs, however, you need to make sure that the file system has been mounted with the ACL parameter:
# mount | grep acl
Because nothing is returned, you know that all currently mounted file systems do not have ACLs set up to be used. To mount the file system with the ACL option use the following command:
# mount –t ext4 -o acl,remount /dev/sda5 /data

Step 2. If your file system isn’t already mounted, you could also use the following:
# mount –t ext4 -o acl /dev/sda5 /data

Step 3. To verify, you can use the previous command:
# mount | grep acl
/dev/sda5 on /data type ext4 (rw,acl)

Step 4. Add the following line in your /etc/fstab file:
#vim /etc/fstab
/dev/sda5 /data ext4 defaults,acl 1 2
Save and close the file.

Step 5. To make the changes take effect, you need to remount the file system:
# mount -o remount /data

Step 6. You can now verify that your file system has the ACL option:
# mount | grep -i acl
/dev/sda5 on /data type ext3 (rw,acl)

Exercise: Create a file and apply ACL for it
Step 1. Create a sample file on which you can test an ACL in the /data/backup directory:
# cd /data/backup
#touch file1
To Show default permission type following command.
# getfacl /data/backup/file1

Step 2. Set the ACL on that file so user1 also has access to this file: For example i want to assign full permission on /data/backup/file1 to user1
# setfacl -m u:user1:rwx /data/backup/file1

Step 3.
Now check the ACL permissions:
# getfacl /data/backup/file1
# file: file1
# owner: root
# group: root
user: rw-
user:user1:rwx
group :r--
mask: rwx
other: r--
Now login as user1 and it should be able to modify file1.
Step 4. Use the setfacl command to remove the ACL for user1:
# setfacl -x u:user1 /data/backup/file1

Step 5. Verify that the ACL has been removed:
# getfacl /data/backup/file1
# file: file1
# owner: root
# group: root
user: rw-
group: r--
mask: r--
other: r--
Now login as user1 and try to modify it should not be able to modify file1.

Step 6. If you have multiple ACLs set up on a single file, you can remove them all with the -b option
# setfacl -b filename

No comments:

Post a Comment

RADIUS Server Configure in Server 2012

Home About Me Apple Networking Software Storage Downloads Links Contact How to setup Radius for authentication wi...