Managing File system security

From our previous articles you have learnt how to set, read, write, and execute permissions for the owner of the file, for the group associated with that file, and for everyone else who has access to the file. These files are visible with the ls -l command. These standard file permissions are all that an administrator needs to grant file privileges to users and to prevent unauthorized users from accessing important files.

However, when these basic file permissions are not enough, access control lists, or ACLs, can be used on an ext3 file system. ACLs expand the basic read, write, and execute permissions to more categories of users and groups.

In addition to permissions for the owner and group for the file, ACLs allow for permissions to be set for any user, any user group, and the group of all users not in the group for the user.

Consider a situation where you want to grant write permission only to two users from a group of ten users. If you set permission from chmod all other users from group will get write access on file. In such a situation ACLs works.

Categories of ACLs

There are four categories of ACLs per file:

  • For an individual user,
  • For a user group,
  • Via the effective rights mask
  • For users not in the user group associated with the file.

To view the existing ACLs for a file, execute the following:

 getfacl <file> 

If ACLs is enabled, output would be look like this

 # file: accounts # owner: Shweta # group: Shweta user::rwx group::r-x mask::rwx other::--- 

getfacl linux commands

To understand acl more clearly let’s take a simple example of acl.

Create three users named Shweta Vinita and Niddhi

#for USER in Shweta Vinita Niddhi
> do
>useradd $USER
>passwd –d $USER
>done 

useradd linux commads

Now make them the member of goswami groups

#groupadd goswami
#usermod –G goswami Shweta
#usermod –G goswami Vinita
#usermod –G goswami Niddhi 

usermod linux commands

Now create a /example directory and change the ownership to Shweta

#mkdir /example
#chown Shweta /example 

chown linux commands

Now logon form Shweta on other terminals and create a folder

$cd /example
$mkdir /accounts 

mkdir linux commands

Now Shweta want to grant write permission only to Vinita. Niddhi will also get writes access on directory if Shewta sets write permission on groups as she is also the member of goswami group. So Shweta will use acl to grant write access to Vinita.

$setfacl –m u:Shweta:rwx accounts
$setfacl –m u:Vinita:rwx accounts
$setfacl –m other:--- accounts
$getfacl accounts

setfacl linux commands

To verify execute getfacl commands on accounts folder

getfacl linux commands

As in output you can see that user Shweta and Vinita have full permission over accounts folder. All other user except Shweta and Vinita have no permission over accounts folder. To verify this acl login form Vinita on other terminal and change directory to example.

user login linux

Now make a test directory in account folder it should be successful as Vinita user have full permission over account folder.

mkdir linux commads

Now go other terminals and login form user Niddhi and change directory to example

cd linux commands

Try to change directory to account she will denied as she have no permission over accounts

setfacl linux acl