ACL in RHEL7/Cent OS 7

In this post we are going to securing files and directories using ACL in RHEL7/Cent OS 7.

In this post we are going to see how to secure files and directories using ACL.

As first step need to check kernel compatibility for ACL using below command.

[root@server ~]# grep -i acl /boot/config*
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CIFS_ACL=y

Above output will says that this kernel is compatible with ACL access since we could see all are marked as yes POSIX_ACL=y. 

If it is set as N. Than we need to rebuild the kernel.

Next need to install the packages.

Required packages for ACL:

acl

nfs4-acl-tools

libacl

Now install all the above three packages using yum:

Link to see how to configure yum locally click here

[root@server ~]# yum -y install nfs4-acl* acl libacl

Will assign read, write and execute permission to files and directories using ACL and will mention characters ugo/rwx  in commands for permissions respectively.

Now will see a example which will help us to understand clearly.

Create three users and one group respectively like below.

[root@server ~]# useradd lbcuser1
[root@server ~]# useradd lbcuser2
[root@server ~]# useradd lbcuser3
[root@server ~]# groupadd lbcgroup
[root@server ~]# passwd lbcuser1
Changing password for user lbcuser1.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.

Above screen password has been generated for only lbcuser1.Same like that need to set password for other 2 users.

Now add the lbcgroup group as secondry group for lbcuser1 and lbcuser2 users.

[root@server ~]# usermod -aG lbcgroup lbcuser1
[root@server ~]# usermod -aG lbcgroup lbcuser2

Create a directory and a file inside of that directory to assign and check permissions using acl.

[root@server ~]# mkdir /tmp/data
[root@server ~]# touch /tmp/data/testfile.txt

Now change the group as lbcgroup to the file like below.

[root@server ~]# chown :lbcgroup /tmp/data/testfile.txt
[root@server ~]# ll /tmp/data/testfile.txt
-rw-r--r--. 1 root lbcgroup 0 Dec 15 21:14 /tmp/data/testfile.txt

set the permission 770 using chmod command to the testfile.txt.

Now we can login as lbcuser1 and lbcuser2 and than will try to insert content in testfile.txt.

Sure both users can able to insert content in the file. Because, both users and files group is same(lbcgroup).

[root@server ~]# su lbcuser1
[lbcuser1@server root]$ echo "My name is lbcuser1..." > /tmp/data/testfile.txt
[lbcuser1@server root]$ exit
exit
[root@server ~]# su lbcuser2
[lbcuser2@server root]$ echo "My name is lbcuser2..." > /tmp/data/testfile.txt
[lbcuser2@server root]$ exit
exit
[root@server ~]#

and now will try to insert content as lbcuser3. It will give error. Since, its not the owner and member of lbcgroup for that file.

[root@server ~]# su lbcuser3
[lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt
bash: /tmp/data/testfile.txt: Permission denied

So, now will provide read and write permission using ACL without adding the lbcuser3 in lbcgroup and will check it again to insert content into the file.

[root@server ~]# setfacl -R -m u:lbcuser3:rw /tmp/data/testfile.txt
[root@server ~]# su lbcuser3
[lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt
[lbcuser3@server root]$ cat /tmp/data/testfile.txt
My name is lbcuser3...

Since we user single > symbol to redirect the echo command out into the file, its showing our last content which is “My name is lbcuser3…”

To set permission for group will use in above command where we used and groupname where we given username like below.

[root@server ~]# setfacl -R -m g:lbcgroup:rw /tmp/data/testfile.txt

To check the existing ACL permission of a file use getfacl command.

[root@server ~]# getfacl /tmp/data/testfile.txt
getfacl: Removing leading '/' from absolute path names
# file: tmp/data/testfile.txt
# owner: root
# group: lbcgroup
user::rwx
user:lbcuser3:rw-
group::rwx
mask::rwx
other::---

Same like file will set permission to directory as well.

Command to set permission for directory:

below command will help us to set read permission alone for other users which is not owner/group of the directory.

[root@server ~]# setfacl -m d:o:r /tmp/data
[root@server ~]# getfacl /tmp/data
getfacl: Removing leading '/' from absolute path names
# file: tmp/data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r--

 

6 thoughts on “ACL in RHEL7/Cent OS 7”

  1. I have learned some new issues from your website about desktops. Another thing I’ve always believed is that computer systems have become something that each home must have for several reasons. They provide convenient ways in which to organize households, pay bills, go shopping, study, listen to music and perhaps watch tv series. An innovative solution to complete every one of these tasks has been a laptop. These personal computers are mobile ones, small, powerful and lightweight.

  2. Pingback: essayforme
  3. Pingback: essayforme
  4. Excellent post. I was checking continuously this blog and I am impressed!
    Extremely helpful info specially the last part :
    ) I care for such info much. I was looking for this particular info for a long time.
    Thank you and good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *