ACL
From ArchWiki
i18n |
---|
English |
Русский |
Contents |
Introduction
Access Control List provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX
file permissions. ACL allows you to give permissions for any user or group to any disc resource.
Installation
ACL is available from the /core repository:
# pacman -S acl
Configuration
Enabling ACL
To enable ACL - edit /etc/fstab file and add acl attribute in options on the partition which you want to use ACL:
# # /etc/fstab: static file system information # # <file system> <dir> <type> <options> <dump> <pass> none /dev/pts devpts defaults 0 0 none /dev/shm tmpfs defaults 0 0 /dev/cdrom /media/cdrom auto ro,user,noauto,unhide 0 0 /dev/dvd /media/dvd auto ro,user,noauto,unhide 0 0 UUID=5de01fca-7c63-49b0-9b2b-8b1790f8428e swap swap defaults 0 0 UUID=822dd720-e35f-424c-b012-2c84b4aa265a /data reiserfs defaults 0 1 UUID=8e5259dd-26fc-411a-88e2-f38d4dc36724 /home reiserfs defaults,acl 0 1 UUID=c18f753e-0039-49bd-930f-587d48b7e083 / reiserfs defaults 0 1 UUID=f64bfc77-7958-49c5-a244-1fa2517d676f /tmp reiserfs defaults 0 1
Save the file. Remount partition:
# mount -o remount /home
Set ACL
To modify ACL use setfacl command. To add permissions use setfacl -m.
Add permissions to some user:
# setfacl -m "u:username:permissions"
or
# setfacl -m "u:uid:permissions"
Add permissions to some group:
# setfacl -m "g:groupname:permissions"
or
# setfacl -m "g:gid:permissions"
Remove all permissions:
# setfacl -b
Remove each entry:
# setfacl -x "entry"
To check permissions use:
# getfacl filename
Examples
Set all permissions for user johny to file named "abc":
# setfacl -m "u:johny:rwx" abc
Check permissions
# getfacl abc
# file: abc # owner: someone # group: someone user::rw- user:johny:rwx group::r-- mask::rwx other::r--
Change permissions for user johny:
# setfacl -m "u:johny:r-x" abc
Check permissions
# getfacl abc
# file: abc # owner: someone # group: someone user::rw- user:johny:r-x group::r-- mask::r-x other::r--
Remove all extended ACL entries:
# setfacl -b abc
Check permissions
# getfacl abc
# file: abc # owner: someone # group: someone user::rw- group::r-- other::r--
Output of ls command
You will notice that there is an ACL for a given file because it will exhibit a +(plus sign) after its unix rights in the output of of ls -l.
$ ls -l /dev/audio crw-rw----+ 1 root audio 14, 4 nov. 9 12:49 /dev/audio $ getfacl /dev/audio getfacl: Removing leading '/' from absolute path names # file: dev/audio # owner: root # group: audio user::rw- user:solstice:rw- group::rw- mask::rw- other::---
Increase security of your web server
You can now add permissions to our home directory or/and site directory only to nobody user any anyone else - without "whole world" to increase your security.
Go to the home directory:
# cd /home
Add permissions +x for nobody user on your home directory via ACL:
# setfacl -m "u:nobody:--x" homeusername/
Now you can remove whole world rx permissions:
# chmod o-rx homeusername/
Check our changes:
# file: username/ # owner: username # group: users user::rwx user:nobody:--x group::r-x mask::r-x other::---
As we can see others don't have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - don't have any permissions.
Additional Resources
- Man Page - man getfacl"
- Man Page - man setfacl"