More power with ACL !

Preview

In this tutorial we are going to talk about right management weakness and ACL. Define permissions when you have a lot of files within a directory can be painfull ! And it may not works as you expected !

Unix give us facilities for managing users, groups and files. But we need to add a layer above all of it to get more power upon permissions management.

Definition

ACL stand for "Access Control List". It's an addition to the Unix file permissions in order to give administrators and users more flexibility.

Rules are for users ... and groups

First we're going to see who are the users running on our system. A file called passwd located under /etc/ contains a table with multiple rows for each users stored on our computer.

# delimiter is ':'
# -f1 for the first field
cut -d: -f1 /etc/passwd

You may have a long list with multiple users, you may also find yourself. You finnaly discover that you are not alone.

But why so many users ? Because we can assign right for users. Imagine you're using docker, you create an user for docker, thus you can restrict the usage of docker and give him access for only directories or executable he needs.

For the experence we create a user named test_acl

sudo useradd test_acl

We can check the existence for our new user.

cat /etc/passwd | grep test_acl
test_acl:x:1001:1001::/home/test_acl:/bin/bash

Great, we have our new user, his uid and guid are set to 1001, his home directory is set to /home/test_acl/ and his shell is the bash.

Me, the group and the others

I create a folder called first_restriction.

ll
total 0
drwxrwxr-x. 2 fpierre fpierre 6  9 févr. 23:34 first_restriction

Since we have d, we know that we are facing a directory, then we find out that fpierre aka me can and people who belong to my group can read, write and execute the folder. The others can juste read and execute the directory.

What does executing a directory can means ? It just allows you enter a folder.

Manage rights

Imagine that you have sensible data, you may not want that other people just by double clicking could discover your folder.

Do you trust the others ? Do you trust your group ? Do you trust yourself ?

To do that, there is a simple command called chmod

chmod g-rwx first_restriction/
chmod o-rwx first_restriction/ 

ll
total 0
drwx------. 2 fpierre fpierre 6  9 févr. 23:34 first_restriction

You can also do it recursively.

Now I open a terminal and I log as test_acl user.

su - test_acl

And I try to open first_restriction.

[test_acl@centos acl_workground]$ cd first_restriction/
-bash: cd: first_restriction/: Permission non accordée

As expected it doesn't work !

Now lets move into first_restriction and create a file named important_file.

ll
total 4
-rw-rw-r--. 1 fpierre fpierre 42 10 févr. 00:00 important_file

Rights are not inherited ! We're going to check if test_acl can access the file.

[test_acl@centos acl_workground]$ cat first_restriction/important_file
cat: first_restriction/important_file: Permission non accordée

Great, despite rights are not inherited, since others can't execute the directory they can't have any access to files in the directory.

But what if we just manage read and write access ?

Rules are made to be broken

mkdir second_restriction
chmod o-r second_restriction/

ll
total 0
drwx------. 2 fpierre fpierre 28 10 févr. 00:10 first_restriction
drwxrwx--x. 2 fpierre fpierre  6 10 févr. 00:10 second_restriction

cd second_restriction
touch important_file

ll
total 4
-rw-rw-r--. 1 fpierre fpierre 32 10 févr. 00:12 important_file

Once again, we pick our test_acl user and we try to access the supposed restricted document

[test_acl@centos acl_workground]$ ls
first_restriction  second_restriction

[test_acl@centos acl_workground]$ cd second_restriction/

[test_acl@centos second_restriction]$ ls
ls: impossible d ouvrir le répertoire .: Permission non accordée

[test_acl@centos second_restriction]$ cat important_file
This file is really important !

Ok, so we opened a directory, when we tried to list objects contained in this folder we get a message which told us that we're not able to list anything. But just by guessing the name of the file we were able to read it !

ACL

Define the objectives

So, the objectives are simple.

  1. We want to create a protected directory
  2. This directory shouldn't be hidden
  3. Files and directory must inherit rights

Prepare the environment

mkdir third_restriction

ll
total 0
drwx------. 2 fpierre fpierre 28 10 févr. 00:10 first_restriction
drwxrwx--x. 2 fpierre fpierre 28 10 févr. 00:12 second_restriction
drwxrwxr-x. 2 fpierre fpierre  6 10 févr. 00:20 third_restriction

The ACL toolbox

# set permission
setfacl -m "u:user:permissions" <file/dir>
setfacl -m "g:group:permissions" <file/dir>
# get permission
getfacl <dir>
# add a default entry
setfacl -dm <entry>

# The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity):

 #      [d[efault]:] [u[ser]:]uid [:perms]
 #             Permissions of a named user. Permissions of the file owner if uid is empty.

 #      [d[efault]:] g[roup]:gid [:perms]
 #              Permissions of a named group. Permissions of the owning group if gid is empty.

 #      [d[efault]:] m[ask][:] [:perms]
 #              Effective rights mask

 #      [d[efault]:] o[ther][:] [:perms]
 #              Permissions of others.

Go back to the scénarii

getfacl third_restriction/

# file: third_restriction/
# owner: fpierre
# group: fpierre
user::rwx
group::rwx
other::r-x

We are going to change the "read" right for the others

chmod o-r third_restriction

We print the getfacl to be sure that the read right has been updated.

getfacl third_restriction/
# file: third_restriction/
# owner: fpierre
# group: fpierre
user::rwx
group::rwx
other::--x

Then we create some confidential files in the third_restriction directory called

  • confid_1
  • confid_2
  • confid_3
tree -L 1 ./
./
├── confid_1
├── confid_2
└── confid_3

0 directories, 3 files
ll

total 12
-rw-rw-r--. 1 fpierre fpierre 33 10 févr. 13:13 confid_1
-rw-rw-r--. 1 fpierre fpierre 42 10 févr. 13:13 confid_2
-rw-rw-r--. 1 fpierre fpierre 12 10 févr. 13:13 confid_3

When we're at this point, we did exactly the same thing as above. So, we know that anyone can read our files just by guessing their names.

Now we add a default entry

setfacl -dm o:--- third_restriction/

This entry will be inherited for each files created in the directory this_restriction. However, files already present in the directory are not affected.

With our user, we create a fourth file named confid_4.

We can check rights with our getfacl command, and make sure that rights has been inherited.

getfacl confid_4
# file: confid_4
# owner: fpierre
# group: fpierre
user::rw-
group::rw-
other::---

Just to see what happen with Unix rights, let run the ll command :

ll
total 16
-rw-rw-r--. 1 fpierre fpierre 33 10 févr. 13:13 confid_1
-rw-rw-r--. 1 fpierre fpierre 42 10 févr. 13:13 confid_2
-rw-rw-r--. 1 fpierre fpierre 12 10 févr. 13:13 confid_3
-rw-rw----. 1 fpierre fpierre 24 10 févr. 13:24 confid_4

Nice, Unix rights are set as we wanted !

And what about running ll on the directory ?

drwxrwx--x+ 2 fpierre fpierre 70 10 févr. 13:24 third_restriction

Something has been added, isn't it ? Now we have + symbol after our unix rights ! Don't be afraid, it only means that there is an ACL for this directory !

To end this article, we try to read files with our test_acl user !

[test_acl@centos third_restriction]$ pwd
/home/fpierre/acl_workground/third_restriction

[test_acl@centos third_restriction]$ ls
ls: impossible d ouvrir le répertoire .: Permission non accordée

[test_acl@centos third_restriction]$ cat confid_1
I m supposed to be a secret file

[test_acl@centos third_restriction]$ cat confid_2
This file could contain some passwords ?!

[test_acl@centos third_restriction]$ cat confid_3
We love ACL

[test_acl@centos third_restriction]$ cat confid_4
cat: confid_4: Permission non accordée

The END

I hope you enjoyed this lecture about ACL ! If you want to administrate a bunch of machines, it will give you more flexibility without adding multiple groups with weird name !

Sources

[1] https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.3/com.ibm.spectrum.scale.v4r23.doc/bl1hlp_accessfilesystemacl.htm

[2] https://wiki.archlinux.org/index.php/Access_Control_Lists

[3] http://vanemery.net/Linux/ACL/linux-acl.html