In this post we are going to securing files and directories using ACL in RHEL7/Cent OS 7.
In this post we are going to see how to secure files and directories using ACL.
As first step need to check kernel compatibility for ACL using below command.
[root@server ~]# grep -i acl /boot/config* CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_GENERIC_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CEPH_FS_POSIX_ACL=y CONFIG_CIFS_ACL=y
Above output will says that this kernel is compatible with ACL access since we could see all are marked as yes POSIX_ACL=y.
If it is set as N. Than we need to rebuild the kernel.
Next need to install the packages.
Required packages for ACL:
acl
nfs4-acl-tools
libacl
Now install all the above three packages using yum:
Link to see how to configure yum locally click here
[root@server ~]# yum -y install nfs4-acl* acl libacl
Will assign read, write and execute permission to files and directories using ACL and will mention characters ugo/rwx in commands for permissions respectively.
Now will see a example which will help us to understand clearly.
Create three users and one group respectively like below.
[root@server ~]# useradd lbcuser1 [root@server ~]# useradd lbcuser2 [root@server ~]# useradd lbcuser3 [root@server ~]# groupadd lbcgroup [root@server ~]# passwd lbcuser1 Changing password for user lbcuser1. New password: BAD PASSWORD: The password is a palindrome Retype new password: passwd: all authentication tokens updated successfully.
Above screen password has been generated for only lbcuser1.Same like that need to set password for other 2 users.
Now add the lbcgroup group as secondry group for lbcuser1 and lbcuser2 users.
[root@server ~]# usermod -aG lbcgroup lbcuser1 [root@server ~]# usermod -aG lbcgroup lbcuser2
Create a directory and a file inside of that directory to assign and check permissions using acl.
[root@server ~]# mkdir /tmp/data [root@server ~]# touch /tmp/data/testfile.txt
Now change the group as lbcgroup to the file like below.
[root@server ~]# chown :lbcgroup /tmp/data/testfile.txt [root@server ~]# ll /tmp/data/testfile.txt -rw-r--r--. 1 root lbcgroup 0 Dec 15 21:14 /tmp/data/testfile.txt
set the permission 770 using chmod command to the testfile.txt.
Now we can login as lbcuser1 and lbcuser2 and than will try to insert content in testfile.txt.
Sure both users can able to insert content in the file. Because, both users and files group is same(lbcgroup).
[root@server ~]# su lbcuser1 [lbcuser1@server root]$ echo "My name is lbcuser1..." > /tmp/data/testfile.txt [lbcuser1@server root]$ exit exit [root@server ~]# su lbcuser2 [lbcuser2@server root]$ echo "My name is lbcuser2..." > /tmp/data/testfile.txt [lbcuser2@server root]$ exit exit [root@server ~]#
and now will try to insert content as lbcuser3. It will give error. Since, its not the owner and member of lbcgroup for that file.
[root@server ~]# su lbcuser3 [lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt bash: /tmp/data/testfile.txt: Permission denied
So, now will provide read and write permission using ACL without adding the lbcuser3 in lbcgroup and will check it again to insert content into the file.
[root@server ~]# setfacl -R -m u:lbcuser3:rw /tmp/data/testfile.txt [root@server ~]# su lbcuser3 [lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt [lbcuser3@server root]$ cat /tmp/data/testfile.txt My name is lbcuser3...
Since we user single > symbol to redirect the echo command out into the file, its showing our last content which is “My name is lbcuser3…”
To set permission for group will use g in above command where we used u and groupname where we given username like below.
[root@server ~]# setfacl -R -m g:lbcgroup:rw /tmp/data/testfile.txt
To check the existing ACL permission of a file use getfacl command.
[root@server ~]# getfacl /tmp/data/testfile.txt getfacl: Removing leading '/' from absolute path names # file: tmp/data/testfile.txt # owner: root # group: lbcgroup user::rwx user:lbcuser3:rw- group::rwx mask::rwx other::---
Same like file will set permission to directory as well.
Command to set permission for directory:
below command will help us to set read permission alone for other users which is not owner/group of the directory.
[root@server ~]# setfacl -m d:o:r /tmp/data [root@server ~]# getfacl /tmp/data getfacl: Removing leading '/' from absolute path names # file: tmp/data # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:other::r--
I have learned some new issues from your website about desktops. Another thing I’ve always believed is that computer systems have become something that each home must have for several reasons. They provide convenient ways in which to organize households, pay bills, go shopping, study, listen to music and perhaps watch tv series. An innovative solution to complete every one of these tasks has been a laptop. These personal computers are mobile ones, small, powerful and lightweight.
Excellent post. I was checking continuously this blog and I am impressed!
Extremely helpful info specially the last part :
) I care for such info much. I was looking for this particular info for a long time.
Thank you and good luck.
Thank you for the good writeup. It in fact was a amusement account it.
Look advanced to far added agreeable from you! However, how could we communicate?
Awesome issues here. I am very satisfied to look your article.
Thank you so much and I am looking ahead to touch you.
Will you please drop me a e-mail?