Section 8.3. Using Access Control Lists
8.3. Using Access Control ListsUnix/Linux permission modes are very simple; they don't cover all security needs. But, because they are simple, they are actually used, which is more than can be said for many other access control technologies. But sometimes permissions just don't cut it, and a better system of discretionary access control is needed. Access control lists (ACLs) enable you to specify exactly which users and groups can access a file and in what ways. 8.3.1. How Do I Do That?In order to use ACLs on a filesystem, that filesystem must be mounted with the acl mount option. To check whether this option is active, use the mount command: $ mount /dev/mapper/main-root on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hdc2 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) /dev/mapper/main-home on /home type ext3 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) automount(pid10695) on /net type autofs (rw,fd=4,pgrp=10695,minproto=2,maxproto=4)
The mount options are shown in parentheses; none of these filesystems were mounted with the acl option. To add the acl mount option to a filesystem that is already mounted, use the mount command with the remount option: # mount -o remount,acl /home # mount -o remount,acl / # mount /dev/mapper/main-root on / type ext3 (rw,acl) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hdc2 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) /dev/mapper/main-home on /home type ext3 (rw,acl) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) automount(pid10695) on /net type autofs (rw,fd=4,pgrp=10695,minproto=2,maxproto=4) Note that the /home and / filesystems are now mounted with the acl option. To make this option the default for future mounts of these filesystems, edit the file /etc/fstab and add it to the fourth column for these filesystems: /dev/main/root / ext3 defaults,acl 1 1 LABEL=/boot /boot ext3 defaults 1 2 devpts /dev/pts devpts gid=5,mode=620 0 0 tmpfs /dev/shm tmpfs defaults 0 0 proc /proc proc defaults 0 0 sysfs /sys sysfs defaults 0 0 /dev/main/swap swap swap defaults 0 0 /dev/main/home /home ext3 defaults,acl 1 2 Once the filesystem has been mounted with the correct option, the getfacl (get file ACL) command can be used to view the ACL of a file: $ touch test $ ls -l test -rw-rw-r-- 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- group::rw- other::r-- The ACL displayed by getfacl exactly matches the permissions shown by ls: the user who owns the file (chris) can read and write the file, users in the group that owns the file (chris) can read and write the file, and all of the other users of the system can only read the file. Each entry in the ACL consists of three components separated by colons:
To modify the ACL, use the setfacl command with the -m (modify) option. This command will limit the user thomas to just reading the file test: $ setfacl -m user:thomas:r test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::rw- mask::rw- other::r-- This additional ACL entry shows up on a line of its own. Notice that a mask entry is now displayed, showing the maximum permission available to users and groups identified by a qualifier; this mask value corresponds to the group permission of the traditional Linux permission mode, as displayed by ls. When ls is used to display detailed file information, the output is slightly modified: $ ls -l test -rw-rw-r--+ 1 chris chris 0 May 6 20:52 test The + after the file permissions indicates that an ACL is in effect in addition to the permissions shown. Changing the file mode using the chmod command alters the ACL mask value: $ chmod 644 test $ ls -l test -rw-r--r--+ 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::rw- #effective:r-- mask::r-- other::r-- The new group permission has been set to r-- (read-only), and this is also used as the mask value. Because the mask is more limiting than the group value in the ACL, the group permission has effectively changed to r--, as indicated by the #effective:r-- comment in the output. This works both ways; changing the mask using setfacl also changes the group permission, as displayed by ls: $ ls -l test -rw-r--rwx+ 1 chris chris 0 May 6 20:52 test $ setfacl -m mask::rw test $ ls -l test -rw-rw-rwx+ 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::rw- mask::rw- other::rwx On the other hand, changing the default group ACL entry affects both that entry and the mask value: $ setfacl -m g::r test $ ls -l test -rw-r--r--+ 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::r-- mask::r-- other::r--
To change multiple ACL entries at one time, separate them by commas: $ setfacl -m u:diane:rw,u:jim:r,g::r,m::rw test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:rw- user:jim:r-- group::r-- mask::rw- other::r-- To set a new ACL, discarding the previous ACL completely, use the --set argument instead of -m: $ setfacl --set u::rw,u:diane:r,u:thomas:r,u:gord:rw,u:jim:r,m::rw,g::-,o::- test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- user:jim:r-- group::--- mask::rw- other::--- Note the use of - to indicate no permissions in the ACL entries for group and other. When using --set, it is necessary to specify at least the permission for the file's owner, the file's group owner, and others, because these will be used to construct the legacy permission mode. Leaving one of those entries out results in an error message: $ setfacl --set u:diane:r,g::- test setfacl: test: Malformed access ACL \Quser:diane:r--,group::---,mask::r--': Missing or wrong entry at entry 1 To remove an ACL entry, use the -x option to setfacl and specify one or more ACL entries by the type and qualifier components (leave out the permissions): $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- user:jim:r-- group::--- mask::rw- other::--- $ setfacl -x user:gord test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:jim:r-- group::--- mask::r-- other::--- 8.3.1.1. Setting the default ACL for new filesEach file has an access ACL, but directories can additionally have a default ACL that is used as the default for new files and subdirectories created within that directory. The default ACL is displayed when getfacl is run with the -d option. Initially the default ACL is empty: $ getfacl . # file: . # owner: chris # group: chris user::rwx group::rwx other::r-x $ getfacl -d . # file: . # owner: chris # group: chris To set the default ACL, use the setfacl command with the -d option: $ setfacl -d --set u::rw,u:thomas:rw,g::r,m::rw,o::- . $ getfacl -d . # file: . # owner: chris # group: chris user::rw- user:thomas:rw- group::r-- mask::rw- other::--- This ACL will then be applied automatically to new files: $ touch trial $ getfacl trial # file: trial # owner: chris # group: chris user::rw- user:thomas:rw- group::r-- mask::rw- other::--- 8.3.1.2. Copying and moving files with their ACLsTo copy an ACL when copying a file, use the -p argument to cp: $ getfacl demo # file: demo # owner: chris # group: chris user::rw- group::rw- #effective:r-- mask::r-- other::--- $ cp -p demo demo2 $ getfacl demo2 # file: demo2 # owner: chris # group: chris user::rw- group::rw- #effective:r-- mask::r-- other::--- When moving a file (with mv), the ACL is automatically preserved: $ mv demo2 demo3 $ getfacl demo3 # file: demo3 # owner: chris # group: chris user::rw- group::rw- #effective:r-- mask::r-- other::--- 8.3.1.3. Copying an ACL from one file to anotherIt can be a lot of work setting up a complex ACL with many entries. To simplify the reuse of ACLs, setfacl provides the --set-file option, which sets an ACL from a text file. This file can be created by redirecting the output of getfacl, providing an easy way to copy an ACL from one file to another. This example writes the ACL from the file demo to the file /tmp/acl, and then applies that ACL to the file bar: $ getfacl demo >/tmp/acl $ setfacl --set-file /tmp/acl bar $ getfacl bar # file: bar # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- user:jim:rw- group::rw- mask::rw- other::--- Since --set-file accepts the filename - for standard input, you can also pipe the output of getfacl into setfacl to copy an ACL without using an intermediate file: $ getfacl demo | setfacl --set-file - bar 8.3.1.4. Improving the appearance of ACL listingsgetfacl provides a --tabular option, which presents the output in a format that is somewhat easier to read than the default output: $ getfacl bar # file: bar # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- #effective:r-- user:jim:rw- #effective:r-- group::rw- #effective:r-- mask::r-- other::--- $ getfacl --tabular bar # file: bar USER chris rw- user thomas r-- user diane r-- user gord rW- user jim rW- GROUP chris rW- mask r-- other --- Notice that permissions that are not effective due to the mask value are shown in (the name inserted into the qualifier column is the file's owner and group owner). It can be convenient to create an alias for viewing the tabular output: $ alias showacl='getfacl --tabular'
8.3.2. How Does It Work?ACLs are stored in a compressed format in a file's extended attributes, just like SELinux context labels. They can be viewed with the command getfattr using the name system.posix_acl_access: $ getfattr -n system.posix_acl_access yearend.ods # file: yearend.ods system.posix_acl_access=0sAgAAAAEABgD/////AgAEAPYBAAACAAQA9wEAAAIABg D4AQAAAgAGAPoBAAAEAAYA/////xAABgD/////IAAAAP////8= Obviously, the output of getfacl is much more useful! Like SELinux labels, ACLs work only on filesystems that support extended attributes, and therefore cannot be used on filesystems such as VFAT and ISO9660. On an ext2 or ext3 filesystem, all of the extended attributes must fit into one block, as defined at the time that the filesystem was created. To determine the block size of a filesystem, use dumpe2fs: # dumpe2fs /dev/mapper/main-home | grep 'Block size' dumpe2fs 1.38 (30-Jun-2005) Block size: 4096 In this case, the block size is 4,096 bytes (4 KB); the SELinux context, ACL, and any other extended attributes must fit within that 4 KB limit. When an ACL is changed, a new block is allocated, the new ACL is written to that block, and then the old block is freed. If no blocks are available on the filesystem (or if the user doesn't have access to any more blocks, which may be the case if you have enabled per-user storage quotas), then the ACL cannot be changed. Modification of an ACL may only be performed by the owner of the file and the superuser (root). 8.3.3. What About...8.3.3.1. ...adjusting ACLs graphically?Unfortunately, Fedora Core does not include any tools that permits ACLs to be viewed or adjusted graphically. 8.3.3.2. ...saving and restoring the ACLs of a file subtree?The -R option to getfacl produces a recursive listing of all files in the named directory. setfacl has a --restore option that will use such a recursive listing to set the ACLs of a group of files. This can be used to save and restore ACLsuseful if a number of files are being transported between systems, or backed up and restored from tape or optical disk. For example, this command creates a file named acl.txt that contains all of the ACLs for all files and subdirectories in the current directory: $ getfacl -R . >acl.txt The entire directory can be copied to a CD or DVD, backed up to tape or a USB flash drive, or saved in a tarball and sent to another system. To restore the ACLs at a later date: # setfacl --restore acl.txt If the setfacl command is run as root, the ownerships and group ownerships will also be reset to their original values. 8.3.3.3. ...a version of tar that supports ACLs?Fedora Core provides the star package, which is an advanced replacement for tar. star can back up and restore ACLs along with files when the exustar archive format is used and the -acl option is specified. For example, to back up the /home directory with ACL information: # star cvzf /tmp/home-backup.star.gz -acl artype=exustar /home a /home/ directory a /home/john/ directory a /home/john/.bash_logout 24 bytes, 1 tape blocks a /home/john/.bash_profile 191 bytes, 1 tape blocks a /home/john/.bashrc 124 bytes, 1 tape blocks a /home/john/.gtkrc 120 bytes, 1 tape blocks ...(Lines snipped)... To restore from this archive: # star xvzf /tmp/home-backup.star.gz artype=exustar -acl star: WARNING: skipping leading '/' on filenames. Release star 1.5a69 (i386-redhat-linux-gnu) Archtype exustar Dumpdate 1146974078.733347 (Sat May 6 23:54:38 2006) Volno 1 Blocksize 20 x home/ directory x home/john/ directory x home/john/.bash_logout 24 bytes, 1 tape blocks x home/john/.bash_profile 191 bytes, 1 tape blocks x home/john/.bashrc 124 bytes, 1 tape blocks x home/john/.gtkrc 120 bytes, 1 tape blocks ...(Lines snipped)... 8.3.4. Where Can I Learn More?
|
EAN: 2147483647
Pages: 115