Skip to main content

Linux Acl

If you require more control of your file permissions, Access Control Lists (ACLs) may be the way to go. ACLs go beyond the normal user/group/other paradigm and allow setting permissions per individual user or group.
ACLs are a great option when you want to grant permissions without creating entire user groups. They are also great when you need to allow your non-super-users the ability to set permissions. You still have to be the main owner of a file to modify its permissions, though.

Proceed with caution! ACLs can cause mysterious permission errors that are not immediately obvious to someone who isn't aware of them. For this very reason, ACLs are enabled but not used by default in the latest RHEL / CentOS.

To check if your ext3 filesystem has the proper default options, use tune2fs. Look for "Default mount options:" with acl set. Let's assume we have /dev/sdb1 mounted on /data1 and we want to enable the acl option.
[root@foobaz ~]# tune2fs -l /dev/sdb1
To enable ACLs on a filesystem, we must set the fs default and remount:
[root@foobaz ~]# tune2fs -o acl /dev/sdb1
[root@foobaz ~]# mount -o remount,acl /data1
Use getfacl to view ACLs:
[root@foobaz ~]# touch /data1/foo.txt
[root@foobaz ~]# getfacl /data1/foo.txt
getfacl: Removing leading '/' from absolute path names
# file: data1/foo.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
Use setfacl to set ACLs, with -m to modify and -x to remove a given ACL.

give user bob read+write+execute on a file:
[root@foobaz ~]# setfacl -m u:bob:rwx /data1/singh.txt
give group peeps read+write on a file:
[root@foobaz ~]# setfacl -m g:peeps:rw /data1/singh.txt
remove bob's ACL permissions:
[root@foobaz ~]# setfacl -x u:bob /data1/singh.txt
set the default ACL permissions on a directory:
[root@foobaz ~]# setfacl -m d:g:peeps:rw /data1/stuff/
revoke write permission for everyone:
[root@foobaz ~]# setfacl -m m::rx /data1/singh.txt
When ACLs are present, an ls -l will show a plus sign to notify you:
[root@foobaz ~]# ls -l /data1/singh.txt 
-rw-rwxr--+ 1 root root 0 Dec  3 14:54 /data1/foo.txt
Note that the mv and cp -p commands will preserve ACLs. If you have defaults set on a parent directory, new files in that directory will inherit those settings.

If you want to remove all ACLs, reverting back to the base unix permissions of owner, group and other:
[root@foobaz ~]# setfacl --remove-all /data1/singh.txt

Comments

Post a Comment

Popular posts from this blog

Canonical Kubernetes Platform

Recently,  Canonical has announce the release of the Canonical Kubernetes Platform version 1.32, a robust and user-friendly solution for seamless cluster creation and management. This platform is designed to simplify the deployment and maintenance of containerized workloads, making it an ideal choice for both developers and enterprises. Here are some of the attracting features of this Platform.  ZeroOps with Built-in Essentials:  The platform comes pre-configured with critical components such as networking, DNS, metrics server, local storage, ingress, gateway, and load balancer, enabling immediate productivity post-installation. Simplified Installation and Maintenance:   Leveraging snap packages, the installation process is straightforward, and automated patch upgrades enhance security without manual intervention. Effortless Scalability:  Adding new nodes is seamless, and achieving high availability requires minimal effort, ensuring your infrastructure sca...
Post a Comment
Read more

Docker Container Management from Cockpit

Cockpit can manage containers via docker. This functionality is present in the Cockpit docker package. Cockpit communicates with docker via its API via the /var/run/docker.sock unix socket. The docker API is root equivalent, and on a properly configured system, only root can access the docker API. If the currently logged in user is not root then Cockpit will try to escalate the user’s privileges via Polkit or sudo before connecting to the socket. Alternatively, we can create a docker Unix group. Anyone in that docker group can then access the docker API, and gain root privileges on the system. [root@rhel8 ~] #  yum install cockpit-docker    -y  Once the package installed then "containers" section would be added in the dashboard and we can manage the containers and images from the console. We can search or pull an image from docker hub just by searching with the keyword like nginx centos.   Once the Image download...
Post a Comment
Read more

Remote Systems Management With Cockpit

The cockpit is a Red Hat Enterprise Linux web-based interface designed for managing and monitoring your local system, as well as Linux servers located in your network environment. In RHEL 8 Cockpit is the default installation candidate we can just start the service and then can start the management of machines. For RHEL7 or Fedora based machines we can follow steps to install and configure the cockpit.  Following are the few features of cockpit.  Managing services Managing user accounts Managing and monitoring system services Configuring network interfaces and firewall Reviewing system logs Managing virtual machines Creating diagnostic reports Setting kernel dump configuration Configuring SELinux Updating software Managing system subscriptions Installation of cockpit package.  [root@rhel8 ~] #  dnf   install cockpit cockpit-dashboard  -y  We need to enable the socket.  [root@rhel8 ~] #  systemctl enable --n...
Post a Comment
Read more