More power with ACL !¶
In this tutorial we are going to talk about right management weakness and ACL. Define permissions when you have a lot of files within a directory can be painfull ! And it may not works as you expected !
Unix give us facilities for managing users, groups and files. But we need to add a layer above all of it to get more power upon permissions management.
ACL stand for "Access Control List". It's an addition to the Unix file permissions in order to give administrators and users more flexibility.
Rules are for users ... and groups¶
First we're going to see who are the users running on our system. A file called
passwd located under
/etc/ contains a table with multiple rows for each users stored on our computer.
# delimiter is ':' # -f1 for the first field cut -d: -f1 /etc/passwd
You may have a long list with multiple users, you may also find yourself. You finnaly discover that you are not alone.
But why so many users ? Because we can assign right for users. Imagine you're using docker, you create an user for docker, thus you can restrict the usage of docker and give him access for only directories or executable he needs.
For the experence we create a user named
sudo useradd test_acl
We can check the existence for our new user.
cat /etc/passwd | grep test_acl test_acl:x:1001:1001::/home/test_acl:/bin/bash
Great, we have our new user, his
guid are set to 1001, his
home directory is set to
/home/test_acl/ and his shell is the bash.
Me, the group and the others¶
I create a folder called
ll total 0 drwxrwxr-x. 2 fpierre fpierre 6 9 févr. 23:34 first_restriction
Since we have
d, we know that we are facing a directory, then we find out that
fpierre aka me can and people who belong to my group can read, write and execute the folder. The others can juste read and execute the directory.
What does executing a directory can means ? It just allows you enter a folder.
Imagine that you have sensible data, you may not want that other people just by double clicking could discover your folder.
Do you trust the others ? Do you trust your group ? Do you trust yourself ?
To do that, there is a simple command called
chmod g-rwx first_restriction/ chmod o-rwx first_restriction/ ll total 0 drwx------. 2 fpierre fpierre 6 9 févr. 23:34 first_restriction
You can also do it recursively.
Now I open a terminal and I log as
su - test_acl
And I try to open first_restriction.
[test_acl@centos acl_workground]$ cd first_restriction/ -bash: cd: first_restriction/: Permission non accordée
As expected it doesn't work !
Now lets move into
first_restriction and create a file named
ll total 4 -rw-rw-r--. 1 fpierre fpierre 42 10 févr. 00:00 important_file
Rights are not inherited ! We're going to check if
test_acl can access the file.
[test_acl@centos acl_workground]$ cat first_restriction/important_file cat: first_restriction/important_file: Permission non accordée
Great, despite rights are not inherited, since others can't execute the directory they can't have any access to files in the directory.
But what if we just manage read and write access ?
Rules are made to be broken¶
mkdir second_restriction chmod o-r second_restriction/ ll total 0 drwx------. 2 fpierre fpierre 28 10 févr. 00:10 first_restriction drwxrwx--x. 2 fpierre fpierre 6 10 févr. 00:10 second_restriction cd second_restriction touch important_file ll total 4 -rw-rw-r--. 1 fpierre fpierre 32 10 févr. 00:12 important_file
Once again, we pick our
test_acl user and we try to access the supposed restricted document
[test_acl@centos acl_workground]$ ls first_restriction second_restriction [test_acl@centos acl_workground]$ cd second_restriction/ [test_acl@centos second_restriction]$ ls ls: impossible d ouvrir le répertoire .: Permission non accordée [test_acl@centos second_restriction]$ cat important_file This file is really important !
Ok, so we opened a directory, when we tried to list objects contained in this folder we get a message which told us that we're not able to list anything. But just by guessing the name of the file we were able to read it !
Define the objectives¶
So, the objectives are simple.
- We want to create a protected directory
- This directory shouldn't be hidden
- Files and directory must inherit rights
Prepare the environment¶
mkdir third_restriction ll total 0 drwx------. 2 fpierre fpierre 28 10 févr. 00:10 first_restriction drwxrwx--x. 2 fpierre fpierre 28 10 févr. 00:12 second_restriction drwxrwxr-x. 2 fpierre fpierre 6 10 févr. 00:20 third_restriction
The ACL toolbox¶
# set permission setfacl -m "u:user:permissions" <file/dir> setfacl -m "g:group:permissions" <file/dir>
# get permission getfacl <dir>
# add a default entry setfacl -dm <entry> # The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity): # [d[efault]:] [u[ser]:]uid [:perms] # Permissions of a named user. Permissions of the file owner if uid is empty. # [d[efault]:] g[roup]:gid [:perms] # Permissions of a named group. Permissions of the owning group if gid is empty. # [d[efault]:] m[ask][:] [:perms] # Effective rights mask # [d[efault]:] o[ther][:] [:perms] # Permissions of others.
Go back to the scénarii¶
getfacl third_restriction/ # file: third_restriction/ # owner: fpierre # group: fpierre user::rwx group::rwx other::r-x
We are going to change the "read" right for the others
chmod o-r third_restriction
We print the getfacl to be sure that the read right has been updated.
getfacl third_restriction/ # file: third_restriction/ # owner: fpierre # group: fpierre user::rwx group::rwx other::--x
Then we create some confidential files in the
third_restriction directory called
tree -L 1 ./ ./ ├── confid_1 ├── confid_2 └── confid_3 0 directories, 3 files
ll total 12 -rw-rw-r--. 1 fpierre fpierre 33 10 févr. 13:13 confid_1 -rw-rw-r--. 1 fpierre fpierre 42 10 févr. 13:13 confid_2 -rw-rw-r--. 1 fpierre fpierre 12 10 févr. 13:13 confid_3
When we're at this point, we did exactly the same thing as above. So, we know that anyone can read our files just by guessing their names.
Now we add a default entry
setfacl -dm o:--- third_restriction/
This entry will be inherited for each files created in the directory
this_restriction. However, files already present in the directory are not affected.
With our user, we create a fourth file named
We can check rights with our getfacl command, and make sure that rights has been inherited.
getfacl confid_4 # file: confid_4 # owner: fpierre # group: fpierre user::rw- group::rw- other::---
Just to see what happen with Unix rights, let run the
ll command :
ll total 16 -rw-rw-r--. 1 fpierre fpierre 33 10 févr. 13:13 confid_1 -rw-rw-r--. 1 fpierre fpierre 42 10 févr. 13:13 confid_2 -rw-rw-r--. 1 fpierre fpierre 12 10 févr. 13:13 confid_3 -rw-rw----. 1 fpierre fpierre 24 10 févr. 13:24 confid_4
Nice, Unix rights are set as we wanted !
And what about running
ll on the directory ?
drwxrwx--x+ 2 fpierre fpierre 70 10 févr. 13:24 third_restriction
Something has been added, isn't it ? Now we have
+ symbol after our unix rights ! Don't be afraid, it only means that there is an ACL for this directory !
To end this article, we try to read files with our test_acl user !
[test_acl@centos third_restriction]$ pwd /home/fpierre/acl_workground/third_restriction [test_acl@centos third_restriction]$ ls ls: impossible d ouvrir le répertoire .: Permission non accordée [test_acl@centos third_restriction]$ cat confid_1 I m supposed to be a secret file [test_acl@centos third_restriction]$ cat confid_2 This file could contain some passwords ?! [test_acl@centos third_restriction]$ cat confid_3 We love ACL [test_acl@centos third_restriction]$ cat confid_4 cat: confid_4: Permission non accordée
I hope you enjoyed this lecture about ACL ! If you want to administrate a bunch of machines, it will give you more flexibility without adding multiple groups with weird name !