ACL, or Access Control Lists are special permissions. Linux file system by using standard file permission is User, Group, and Other Level. Further, having permissions in form of Write, Read, and Execute. Of course, it will work in maximum situations, but sometimes users can require additional permissions. Here comes the role of ACL. Consider Bob is from the Sales department, but he wants access to a file from the Finance department. Now, the general file permission structure will not work here. The finance department would no like to expose all files other than the desired one. We can grant special permissions with the help of ACLs. Standard permissions can work for a single user or single group, but to add extra users to any file system from a different group, ACL us required. Today we will learn How to create and Mange File System Access Control List.

Understand ACL in practical:

In this scenario, we would be using Ubuntu 20.04 LTS. Before starting let’s verify whether ACLs are supported at kernel level or not in our OS?

List Kernel level support of ACLs.

ubnt@ubnt:~$ uname -r
 5.4.0-53-genericFirst, check kernel version.

Grep ACL supported file systems lists.

ubnt@ubnt:/boot$ grep ACL /boot/config-$(uname -r)

Out put

CONFIG_EXT4_FS_POSIX_ACL=y
 CONFIG_REISERFS_FS_POSIX_ACL=y
 CONFIG_JFS_POSIX_ACL=y
 CONFIG_XFS_POSIX_ACL=y
 CONFIG_BTRFS_FS_POSIX_ACL=y
 CONFIG_F2FS_FS_POSIX_ACL=y
 CONFIG_FS_POSIX_ACL=y
 CONFIG_SHIFT_FS_POSIX_ACL=y
 CONFIG_TMPFS_POSIX_ACL=y
 CONFIG_JFFS2_FS_POSIX_ACL=y
 CONFIG_EROFS_FS_POSIX_ACL=y
 CONFIG_NFS_V3_ACL=y
 CONFIG_NFSD_V2_ACL=y
 CONFIG_NFSD_V3_ACL=y
 CONFIG_NFS_ACL_SUPPORT=m
 CONFIG_CEPH_FS_POSIX_ACL=y
 CONFIG_9P_FS_POSIX_ACL=y

Here, Y means that ACL is directly compiled into the Linux kernel. Whereas, m means a loadable module.

Set default ACL permissions.

Let’s create a directory first.

 root@ubnt:~# mkdir acldemo

Have a look before setting ACL permissions, only single users permissions are visible.

root@ubnt:~# getfacl acldemo/

Defile ACL rule so that any file created under acldemo will be with no permission at other level.

root@ubnt:~# setfacl -m d:o:--- acldemo

Where, -m stands for modified, d: directory, o: others, and no permission to others is defined for acldemo direct

root@ubnt:~# getfacl acldemo/

root@ubnt:~/acldemo# touch test

Hereditary  is sustained. Can see same permisson with file even. 
Here, let's give additonal access permission to a user e.g. 'raj'

root@ubnt:~# setfacl -dm u:raj:rwx acldemo

Have a look if raj user have access or not.

root@ubnt:~# getfacl acldemo/

Remove ACL entries.

User’s special access can be removed using -x and -b option with setfacl.

Let’s remove ACL permission for user ‘raj’

root@ubnt:~# setfacl -x u:raj acldemo/

Remove ACL records.

root@ubnt:~# setfacl -b  acldemo/

Have a look, original status regained.

Conclusion:

Additional permissions are always required in a complex working environment. ACL permissions are always helpful to sustain permission but, without compromising any security issue.

Reference: https://help.ubuntu.com/community/FilePermissionsACLs

The post How to create and Mange File System Access Control List (ACL) with Ubuntu 20.04. appeared first on Linux Windows and android Tutorials.

There are two types of ACLs:
1- Access ACL
2- Default ACL

What is Access ACL?

Access ACL used for a specific file or a directory.

What is Default Access Control List?

Default ACL can only be applied to a directory. If files/folders placed under that directory, do not have a ACL set, they inherit the default ACL of their parent directory.

ACLs can be configured per user, per group, or per user not in the owning group of a file and also can be configured using UMASK.

Permissions must be defined in characters r,w and x in ACLs.
ACLs are set and removed using setfacl, with either the -m or -x options, respectively.

1- Configure Access ACL:

Set acl on a folder for users.

First of all create two users “ali” and “ahmed”

useradd ali
useradd ahmed

Then, create a test directory which will use for ACL.

mkdir testdir

ls -lh

Then, set Access ACL on that directory

setfacl -R  -m u:ali:rwx    testdir
setfacl -R  -m u:ahmed:r-x    testdir

Setfacl Command to set ACL
-R Recursively for directory.
-m To add or modify acl.
u Used for user.
rwx Permissions read, write and execute.

Next, run the following command:

ls -lh

Now we will see a plus (+) sign along with permissions section of testdir folder. It identifies that ACL is set on that file/folder.

List configured ACL

Command to see configured ACLs is getfacl

getfacl testdir

Now user ali has full permissions on testdir he can create, modify files/folder in testdir.
But user Ahmed has limited permissions on testdir he cannot create files/folder in testdir.

Set ACL on a folder for a group

First create a group “hr” then, create new directory.

groupadd hr
mkdir newdir
ls -lh

So, set ACL on created directory.

setfacl -R  -m g:hr:rwx   newdir

g It is used to set ACL on group

Now all the member of “hr” group will have rwx permissions on newdir folder.

getfacl newdir

Set ACL on a folder for a group and a user

Always remember users have high priority then groups in ACL.

So, create a group “account“

groupadd account

Then, create two users and assign them “account” group

useradd amir -g account
useradd ihsan -g account

Now, create a test folder, set ACL for “account” group and “ihsan” user

mkdir test

ls -lh

setfacl -R  -m g:account:rwx   test

setfacl  -R -m    u:ihsan:r-x     test

getfacl test

In above scenario both users amir and ihsan are member of account group. but user ihsan is also have separate acl for it. (It means user ihsan acl has high priority over group acl)
amir has full access on test folder, e.g. he can make files/folders in that folder.
But ihsan cannot create files/folders in test folder because he do not has full w(write) permission.

Set ACL for others

we will set it on test folder
let say a user obaid is other user. It means he is not the owner nor the member of that “test” folder’s group.

useradd obaid
setfacl -R  -m o:r-x   test
getfacl test

Now user obaid has read and execute permissions on test folder. It means it can read all files folders under test folder.

Assign full permissions to user “obaid”

setfacl -R  -m o:rwx   test
getfacl test

Now user obaid has full permissions on test folder. It means it can read, write, modify files folders under test folder.

Remove all Permission from user “obaid”

setfacl -R  -m o:---   test
getfacl test

Now user obaid has no permissions on test folder. It means it cannot go to test folder.

Remove single/desired ACL from a file/folder

Now, we will remove ACL of user ali from testdir folder

setfacl -R  -x u:ali   test
getfacl test

x it is used to remove ACL

Remove all the ACLs from a file/folder

Then, we will remove ACLS from test folder

setfacl -R  -b   test
getfacl test

The –b option is used to remove all ACLs

2- Configure Default ACL

The default ACL is a specific type of permissions assigned to a directory, default ACL does not change the permissions of the directory itself, but specified permission in that ACL will set by default on all the folders which will be created inside of it for the specified user, group and other users. We can say the default ACL permissions on parent directory inherit by sub-directories.

So, we will set default ACL for user ahmed

useradd ahmed
mkdir testdir1
setfacl -m   d:u:ahmed:rx    testdir1
getfacl testdir1

The d it is used to set default ACL

Now each directory created under test directory will have default permission of rx for user ahmed.

Now we will set default ACL for group hr

setfacl -m   d:g:hr:rwx    testdir1
getfacl testdir

We will set default ACL for other

setfacl -m   d:o:---    testdir1
getfacl testdir1

That’ it, now you have briefly learned about Linux ACLs.

So, share this post and join our Telegram Channel.

The post How to Use Access Control List (ACL) in Linux appeared first on Linux Windows and android Tutorials.