Further control of Linux files with ACL December 31, 2010Posted by Tournas Dimitrios in Linux.
If you had read my article “chmod Tutorial for Linux newbies” you know that it’s possible, out of the box, to control who can access a file and what they can do with it. This helps to make Linux a fairly secure system. But did you know you can take even further control of that system with the help of Access Control Lists? Access Control Lists allow you to provide different levels of access to files and folders. Say, for instance, user user1 creates a file but doesn’t want to allow anyone to do anything with this file but he and another user, user2 (even though there are other users that belong to the group user1). ACL can handle this task.
In this article you will learn how to install and use ACL to further enchance your file permissions on a Linux system.
This command line utility is installed by defauld on CentOs 5.x , but in case ….. just run :
sudo yum install acl
Type your user password, hit the Enter key and the install, and the installation will begin and end fairly quickly. You are now ready to start with ACL.
Using ACL :
Before you use the commands for ACL you actually have to mount your partition such that ACL is available. By default this is not the case. In order to set this you have to edit your /etc/fstab file. Open that file up and look for the line that mounts your data partition. In my case, this line is:
UUID=c7812a34-3ec1-4451-aace-02d122b6c454 / ext4 errors=remount-ro 0 1
You need to edit this line to look something like:
UUID=c7812a34-3ec1-4451-aace-02d122b6c454 / ext4 errors=remount-ro,acl 0 1
After you make this edit, save the file and then either issue the command:
sudo mount -o remount,acl / or reboot your machine.
We invoked the sudo command , just to elevate our permittions . I suppose you are not running continuously as root , or do you ???
There are two commands you will use for ACL:
* setfacl – Set file access control list.
* getfacl – Get file access control list.
You can probably guess that the first command sets the the ACL and the second lists the ACL for the file.
Using ACL :
So let’s say you have the file test and you want only two users on your system to be able to read that file, user1 and user2. You want to exclude all users in the group user1 as well. What you want to do is use the setfacl command like so (as the user user1 ):
setfacl -m u:user2:rw- test
Now when you run the command:
you will see something like:
# file: test
# owner: user1
# group: user1
As you can see both users user1 and user2 can read and write to the file test, whereas all others can only read the file.
You can verify that a file has had ACL modifications done to it by using the ls command like so:
ls -l test
which should produce results like:
-rw-rw-r–+ user1 user1
What gives this away is the “+” character.