Working with Users, Groups, and Permissions Part VI

Working with Users, Groups, and Permissions – Part VI

Working With Access Control:

Even if the advanced permissions that were discussed in the previous section add useful functionality to the way Linux works with permissions, it doesn't allow you to give permissions to more than one user or one group on the same file
This feature is used through access control lists(ACLs)
Aside from that, they allow administrators to set default permissions in a sophisticated way, where the permissions that are set can be different on different directories

Understanding ACLs:

one drawback to using ACLs. . .not all utilities support it
this means you may lose ACL settings when copying or moving files and also that your backup software may not be capable of backing up ACL settings
TIP: the tar utility hasn't supported ACLs for a long time. . .to make sure your ACL settings aren't lost when you make a backup, use star instead of tar
The star utility works with the same options as tar, but it adds support for ACL settings
Alternatively, you can use the --acls option with tar

Preparing Your File Systems for ACLs

Before starting to work with ACLs, you must prepare your file system for ACL support
Because the file system metadata needs to be extended, ACLs are not always supported by default in the file system
There are 2 ways to add file system support for permissions:
1st: if you're using the Ext4 file system, ACL support is added to all file systems that were created while installing the system
You can verify by using the "dumpe2fs" utility on the device you want to check
For Example: dumpe2fs /dev/sda1 | less (checks to see whether ACLs are supported on the file system on device /dev/sda1)
the Default mount options line shows the current default mount options for your file system
as an alternative, support for the ACLs can be added as a mount option in " /etc/fstab "
Ex Below: Inside the fstab file add:
/dev/sdb1 /dev/sdb1 ext4 defaults,acl 0 1

If you're file system doesn't offer support for permissions, you can use " tune2fs " to add support to it, or you can use "acl" as a mount option in fstab to activate it on every mount
To add "acl" support: tune2fs -o acl,user_xattr /dev/sdb1
On file systems that you've added yourself, ACLs are not added as a default mount option
So, for every file system you've added where you want to be able to use ACLs, you'll have to set them yourself
Another option is to put the ACL option in fstab so that it is activated every time your system reboots
make sure in /etc/fstab, the 4th column reads acl,user-xattr
once your file system is remounted with ACL support, you can use the setfacl command to set ACLs

Changing and Viewing ACL Settings with setfacl and getfacl

To set ACLs, you must use the "setfacl" command
the setfacl command is used to apply or modify ACL settings on a file or directory
To see current ACL settings, you must use "getfacl"
Before setting ACLs, it's always a good idea to show the current ACL settings using "getfacl"
Example:getfacl /tmp
checks permission of /tmp using getfacl
Results: You can see that the permissions are shown for 3 different entities:
the user
the group
others
Example: Add an ACL to give rw permissions to the accounting group of the empty file1 located in the /tmp directory:
First: create file1 file if it doesn't exist in the /tmp directory
Second: check the ACL settings on "file1", you just created
Third: check to see if you have an "accounting" group that exists already... if it doesn't, create it and assign user "linda" to that group
Fourth: Now, add an ACL to give rw permissions to the account group of the file "file1"
# setfacl -m g:accounting:rx /tmp/file1
Example: Now let's add an ACL to give read and execute permissions to the group "sales" as well
setfacl -m g:sales:rx /tmp/file1
In this command, -m indicates that the current ACL settings need to be modified
g:sales:rx tells the command to set the ACL to read and execute(rx) for the group (g) sales
Now check the changes:
getfacl /tmp
Now that you understand how to set a group ACL, what is this command doing: setfacl -m u:linda:rwx /tmp
this command gives permissions to userlinda on the /tmpdirectory without making her the owner and without changing the current owner assignment
The setfacl command has many possibilities and options
The -R option is particularly important
when used, the option makes the ACL setting for all files and subdirectories currently existing in the directory where you set the ACL
It's a good idea always to use this option when changing ACLs for existing directories
the -m option, sets or modifies ACL settings
the -x option, Removes an ACL setting
the -b option, Removes all ACL settings
the -d option, Applies to the default ACLs
the -k option, Removes all default ACL settings

Working with Default ACLs

a benefit of using ACLs is that you can give permissions to more than one user or group at a directory
another benefit is that you can enable inheritance by working with default ACLs
By setting a default ACL, you'll determine the permissions that will be set for all new items that are created in the directory
However, a default ACL does not change the permissions for existing files and subdirectories
To change those as well, you'll need to add a standard ACL
to set a default ACL, you have to add the option "d" after the option -m, for example:
setfacl -m d:g:sales:rx /tmp
group sales will now have read and execute permissions on everything that will ever be created in the /tmp directory
When using default ACLs, it can be useful to set an ACL for others
Normally this doesn't make much sense, because you can change the permissions for others by using "chmod"
what you can't do with chmod, however, is to specify the permissions that should be given to others on every new file that will ever be created
For example: if you want others not to get any permissions on anything that is created in /tmp, use: setfacl -m d:o::- /tmp

Exercise Time:

Refining Permissions Using ACLs