CentOS 7
Ads

Access Control by ACL
2015/07/02
 
This is the example to configure ACL (Access Control Lists).
[1] ACL package is included in minimum OS installation, however, if not in your system, install like follows.
[root@dlp ~]#
yum -y install acl
[2]
It's not necessary to set pre-settings to use ACL function if you are using xfs which is the default filesystem on CentOS 7. But if you are using ext4 which is the default filesystem on CentOS 6, it's necessary to set pre-settings to use ACL function, refer to the section [2], [3] on here.
[3] For how to set ACL,
for example, set ACL to the file "/home/test.txt".
[root@dlp ~]#
ll /home/test.txt

-rwx------ 1 root root 10 Jul  3 16:17 /home/test.txt

# set r(read) for "cent" user to /home/test.txt

[root@dlp ~]#
setfacl -m u:cent:r /home/test.txt
# after setting ACL, "+" is added on attribute

[root@dlp ~]#
ll /home/test.txt

-rwxr-----+ 1 root root 10 Jul  3 16:17 /home/test.txt

# confirm settings

[root@dlp ~]#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# try to access with "cent"

[cent@dlp ~]$
cat /home/test.txt

ACL test file
# read normally
# try to access with another user

[fedora@dlp ~]$
cat /home/test.txt

cat: /home/test.txt: Permission denied
# cannot read normally
[4] Set ACL to a directory recursively.
# set r(read) for "cent" to "/home/testdir" recursively

[root@dlp ~]#
setfacl -R -m u:cent:r /home/testdir
[root@dlp ~]#
ll /home/testdir

total 4
-rwxr-----+ 1 root root 5 Jul  3 16:23 testfile

[root@dlp ~]#
getfacl -R /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---
[5] Set ACL by group.
# set rw(read/write) for "security" group to "/home/test.txt"

[root@dlp ~]#
setfacl -m g:security:rw /home/test.txt

[root@dlp ~]#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
group:security:rw-
mask::rw-
other::---

# try to access with "cent" user who in "security" group

[cent@dlp ~]$
echo "test write" >> /home/test.txt

[cent@dlp ~]$
cat /home/test.txt

ACL test file
test write
# write normally
# try to access with a user who in not in "security" group

[fedora@dlp ~]$
echo "test write" >> /home/test.txt

-bash: /home/test.txt: Permission denied
# cannot write normally
[6] Remove ACL.
# remove ACL from "/home/test.txt"

[root@dlp ~]#
setfacl -b /home/test.txt
# remove ACL only for "fedora" user on "/home/test.txt"

[root@dlp ~]#
setfacl -x u:fedora /home/test.txt
[7] Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change attribute with "chmod", then ACL would be invalid.
[root@dlp ~]#
setfacl -m u:cent:r-x /home/testdir

# set default ACL "r-x(read/execute)" for "cent" to "/home/testdir" directory

[root@dlp ~]#
setfacl -d -m u:cent:r-x /home/testdir

[root@dlp ~]#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:cent:r-x
default:group::---
default:mask::r-x
default:other::---

[root@dlp ~]#
echo "ACL default setting" > /home/testdir/test.txt

[root@dlp ~]#
ll /home/testdir/test.txt

-rw-r-----+ 1 root root 20 Jan 31 22:32 /home/testdir/test.txt

# try to access with "cent"

[cent@dlp ~]$
cat /home/testdir/test.txt

ACL default setting
# it can read normally
[8] Remove default ACL.
[root@dlp ~]#
setfacl -k /home/testdir

[root@dlp ~]#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
[9] Set ACL from a configration file.
# create a configuration file for ACL

# if there are ACLs you'd like to set on other system, there is a way to export with "getfacl" command

[root@dlp ~]#
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

[root@dlp ~]#
setfacl --restore=acl.txt

[root@dlp ~]#
ll /home

total 16
drwx------. 2 cent   cent   4096 Jan 31 12:14 cent
drwx------  2 fedora fedora 4096 Jan 31 12:14 fedora
drwxr-x---+ 2 root   root   4096 Jan 31 22:32 testdir
-rwxr-----+ 1 root   root     25 Jan 31 21:56 test.txt
 
Tweet