In this post we are going to securing files and directories using ACL in RHEL7/Cent OS 7.
In this post we are going to see how to secure files and directories using ACL.
As first step need to check kernel compatibility for ACL using below command.
[root@server ~]# grep -i acl /boot/config*
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CIFS_ACL=y
Above output will says that this kernel is compatible with ACL access since we could see all are marked as yes POSIX_ACL=y.
If it is set as N. Than we need to rebuild the kernel.
Next need to install the packages.
Required packages for ACL:
acl
nfs4-acl-tools
libacl
Now install all the above three packages using yum:
Link to see how to configure yum locally click here
[root@server ~]# yum -y install nfs4-acl* acl libacl
Will assign read, write and execute permission to files and directories using ACL and will mention characters ugo/rwx in commands for permissions respectively.
Now will see a example which will help us to understand clearly.
Create three users and one group respectively like below.
[root@server ~]# useradd lbcuser1
[root@server ~]# useradd lbcuser2
[root@server ~]# useradd lbcuser3
[root@server ~]# groupadd lbcgroup
[root@server ~]# passwd lbcuser1
Changing password for user lbcuser1.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
Above screen password has been generated for only lbcuser1.Same like that need to set password for other 2 users.
Now add the lbcgroup group as secondry group for lbcuser1 and lbcuser2 users.
[root@server ~]# usermod -aG lbcgroup lbcuser1
[root@server ~]# usermod -aG lbcgroup lbcuser2
Create a directory and a file inside of that directory to assign and check permissions using acl.
[root@server ~]# mkdir /tmp/data
[root@server ~]# touch /tmp/data/testfile.txt
Now change the group as lbcgroup to the file like below.
[root@server ~]# chown :lbcgroup /tmp/data/testfile.txt
[root@server ~]# ll /tmp/data/testfile.txt
-rw-r--r--. 1 root lbcgroup 0 Dec 15 21:14 /tmp/data/testfile.txt
set the permission 770 using chmod command to the testfile.txt.
Now we can login as lbcuser1 and lbcuser2 and than will try to insert content in testfile.txt.
Sure both users can able to insert content in the file. Because, both users and files group is same(lbcgroup).
[root@server ~]# su lbcuser1
[lbcuser1@server root]$ echo "My name is lbcuser1..." > /tmp/data/testfile.txt
[lbcuser1@server root]$ exit
exit
[root@server ~]# su lbcuser2
[lbcuser2@server root]$ echo "My name is lbcuser2..." > /tmp/data/testfile.txt
[lbcuser2@server root]$ exit
exit
[root@server ~]#
and now will try to insert content as lbcuser3. It will give error. Since, its not the owner and member of lbcgroup for that file.
[root@server ~]# su lbcuser3
[lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt
bash: /tmp/data/testfile.txt: Permission denied
So, now will provide read and write permission using ACL without adding the lbcuser3 in lbcgroup and will check it again to insert content into the file.
[root@server ~]# setfacl -R -m u:lbcuser3:rw /tmp/data/testfile.txt
[root@server ~]# su lbcuser3
[lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt
[lbcuser3@server root]$ cat /tmp/data/testfile.txt
My name is lbcuser3...
Since we user single > symbol to redirect the echo command out into the file, its showing our last content which is “My name is lbcuser3…”
To set permission for group will use g in above command where we used u and groupname where we given username like below.
[root@server ~]# setfacl -R -m g:lbcgroup:rw /tmp/data/testfile.txt
To check the existing ACL permission of a file use getfacl command.
[root@server ~]# getfacl /tmp/data/testfile.txt
getfacl: Removing leading '/' from absolute path names
# file: tmp/data/testfile.txt
# owner: root
# group: lbcgroup
user::rwx
user:lbcuser3:rw-
group::rwx
mask::rwx
other::---
Same like file will set permission to directory as well.
Command to set permission for directory:
below command will help us to set read permission alone for other users which is not owner/group of the directory.
[root@server ~]# setfacl -m d:o:r /tmp/data
[root@server ~]# getfacl /tmp/data
getfacl: Removing leading '/' from absolute path names
# file: tmp/data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r--