Implement Access Control List (ACL) For CentOS 7/RHEL7
What is Access Control List (ACL)?
Files and directories or folders have permission sets for the owner of the file along with the group associated with that file and all other users of that system. But these permission sets have some limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.
ACLs can be configured as follows
- Per user
- Per group
- For users not in the user group for the file
ACL provides an additional flexible permission mechanism for file system on a Linux system. It enhance the traditional UNIX file permissions for files & folder. With ACL, you can give permissions for any user or any group with fine-grained access rights.
ACLs can be configured per user, per group or via the effective rights mask. These permissions then can be apply to an individual user or a group, and also you can use the same as rwx (Read, Write, Execute) found in regular file / folder permissions.
ACLs requires kernel support and your kernel musk support ACL in order to implement ACL on your Linux distribution. Along with support in the kernel, the acl package is also required to implement ACLs. Acl package contains the utilities used to add, modify, remove, and retrieve ACL information from a file / folder.
Why CentOS Linux?
CentOS Linux is a community-supported distribution derived from sources freely provided to the public by Red Hat for Red Hat Enterprise Linux (RHEL). As such, CentOS Linux aims to be functionally compatible with RHEL. The CentOS Project mainly changes packages to remove upstream vendor branding and artwork. CentOS Linux is no-cost and free to redistribute. Each CentOS version is maintained for up to 10 years (by means of security updates — the duration of the support interval by Red Hat has varied over time with respect to Sources released). A new CentOS version is released approximately every 2 years and each CentOS version is periodically updated (roughly every 6 months) to support newer hardware. This results in a secure, low-maintenance, reliable, predictable and reproducible Linux environment.
PrerequisitesBefore beginning, you must know whether your Linux OS kernel supports ACL or not.
First, switch to root user. This is not required if your current local user have sudo privileges. This is only for this tutorial. Do not practise this for regular system administration.
[centos@hackthesec]# su -
Type your root user password for continue.
To know whether your kernel supports ACL or not, type the following command in a terminal.
[root@hackthesec]# cat /boot/config-4.1.6-1.el6.elrepo.x86_64 | grep _ACL
After issuing the above command, you will see something like this which indicates that your kernel has the support for ACL.
Now, let’s check whether we have the ACL package installed on our system or not. To check such case, issue the below command in a terminal.
[root@hackthesec]# rpm -qa | grep acl
You you will see something like below image.
If you don’t have ACL package installed on your system, then issue the below command to install ACL package onto your system.
[root@hackthesec]# yum install acl
Type your root user password for continue.
To know whether your kernel supports ACL or not, type the following command in a terminal.
[root@hackthesec]# cat /boot/config-4.1.6-1.el6.elrepo.x86_64 | grep _ACL
After issuing the above command, you will see something like this which indicates that your kernel has the support for ACL.
Now, let’s check whether we have the ACL package installed on our system or not. To check such case, issue the below command in a terminal.
[root@hackthesec]# rpm -qa | grep acl
You you will see something like below image.
If you don’t have ACL package installed on your system, then issue the below command to install ACL package onto your system.
[root@hackthesec]# yum install acl
Let’s Start
Mounting File Systems
Before using any ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support.
A local file system can be mounted with the following command syntax shown as below.
Mounting File Systems
Before using any ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support.
A local file system can be mounted with the following command syntax shown as below.
[root@hackthesec]# mount /dev/sdb /acltest
[root@hackthesec]# mount /dev/sdb /acltest
Here, /dev/sdb is a disk device block and acltest is the folder where it will be mounted for access.
After that, you need to edit the file /etc/fstab for the /dev/sdb partition and you need to include the acl as follows. This will mount /dev/sdb automatically whenever you are rebooting your system.
Open the file by using the following command.
Here, /dev/sdb is a disk device block and acltest is the folder where it will be mounted for access.
After that, you need to edit the file /etc/fstab for the /dev/sdb partition and you need to include the acl as follows. This will mount /dev/sdb automatically whenever you are rebooting your system.
Open the file by using the following command.
[root@hackthesec]# vi /etc/fstab
[root@hackthesec]# vi /etc/fstab
and then type the following on the /etc/fstab file.
and then type the following on the /etc/fstab file.
[root@hackthesec]# /dev/sdb /acltest ext4 acl 1 2
[root@hackthesec]# /dev/sdb /acltest ext4 acl 1 2
Save & exit from the file /etc/fstab. So, whenever you will reboot, your partition will be mounted automatically with acl support.
After editing the file we need to remount the partition again. To do so,
Save & exit from the file /etc/fstab. So, whenever you will reboot, your partition will be mounted automatically with acl support.
After editing the file we need to remount the partition again. To do so,
[root@hackthesec]# mount -o remount,acl /dev/sdb
[root@hackthesec]# mount -o remount,acl /dev/sdb
You can issue the below command to confirm whether your previous remount command worked or not.
You can issue the below command to confirm whether your previous remount command worked or not.
[root@hackthesec]# mount
[root@hackthesec]# mount
Now Create a user . and SET password
[root@hackthesec]# useradd hackthesec1
[root@hackthesec]# passwd hackthesec1
[root@hackthesec]# useradd hackthesec1
[root@hackthesec]# passwd hackthesec1
To test acl, we will need at least two users and I will use root and hackthesec1. However you can use different users and it’s up to you.
First we create a file demoacltest.txt in folder /acltest folder path location.
We will add acl for user hackthesec1 which will allow hackthesec 1user to write /acltest/demoacltest.txt file.
To test acl, we will need at least two users and I will use root and hackthesec1. However you can use different users and it’s up to you.
First we create a file demoacltest.txt in folder /acltest folder path location.
We will add acl for user hackthesec1 which will allow hackthesec 1user to write /acltest/demoacltest.txt file.
[root@hackthesec]# setfacl -R -m u:hackthesec1:rwx /acttest/demoacltest.txt
and for default permission just use this command bellow
[root@hackthesec]# setfacl -R -m d:u:hackthesec1:rwx /acltest/demoacltest.txt
[root@hackthesec]# setfacl -R -m u:hackthesec1:rwx /acttest/demoacltest.txt
and for default permission just use this command bellow
[root@hackthesec]# setfacl -R -m d:u:hackthesec1:rwx /acltest/demoacltest.txt
Now if you want to see the file permission just run the bellow command
[root@hackthesec]# getfacl /acttest/demoacltest.txt
Result: -
#file: acltest/demoacltest.txt
#owner: root
#group: root
#flags: -s-
user::rwx
user::hackthesec1:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:hackthesec1:rwx
default:group::--x
default:mask::rwx
default:other::--x
Now if you want to see the file permission just run the bellow command
[root@hackthesec]# getfacl /acttest/demoacltest.txt
Result: -
#file: acltest/demoacltest.txt
#owner: root
#group: root
#flags: -s-
user::rwx
user::hackthesec1:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:hackthesec1:rwx
default:group::--x
default:mask::rwx
default:other::--x
Removing any acls
To remove all of the currently defined ACLs from a file or folder, issue the below command.
[root@hackthesec]# setfacl -b /acltest/demoacltest.txt
[root@hackthesec]# setfacl -b /acltest/demoacltest.txt
0 comments:
Post a Comment