File servers that run Microsoft Windows will typically have the shared resources locked to some users/groups while other users/groups can have full rights on the same share. How can this be if standard permissions are generic for one user, one group, and everybody? This is accomplished with the use of Access Control Lists (ACLs) and the UNIX environment can also apply these variable permissions to files and directories. Not only can they support the feature, Windows clients that connect to your Samba shares will respect them as well.
- Local root access on the box or be able to su to root.
- A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
- UFS filesystem
By default, ACL support is disabled on all partitions or mount points. We can verify this by viewing the mounting table.
# mount /dev/ad1s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/ad1s1e on /tmp (ufs, local, soft-updates) /dev/ad1s1f on /usr (ufs, local, soft-updates) /dev/ad1s1d on /var (ufs, local, soft-updates)
As you can see, all mount points do not have ACL support enabled as it does not appear in the list. So, let’s enable ACLs on the /usr partition. In order to enable ACL support on any partition, it has to be unmounted first. Unmounting system partitions can only be done in single-user mode. Boot into single-user mode or if you are already in multi-user mode issue a shutdown.
# shutdown now
You will then be prompted for the root password for single-user mode. Once there, unmount /usr, add ACL support, mount /usr, and reboot into multi-user mode.
# umount /usr # tunefs -a enable /dev/ad1s1f tunefs: ACLs set # mount /dev/ad1s1f /usr
You can verify the ACL support by viewing your mountpoints.
# mount /dev/ad1s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/ad1s1e on /tmp (ufs, local, soft-updates) /dev/ad1s1f on /usr (ufs, local, soft-updates, acls) /dev/ad1s1d on /var (ufs, local, soft-updates)
As you can see, the /usr mountpoint now has ACL support enabled. Reboot into multi-user mode now.
# shutdown now
Now that ACL support is enabled on the /usr mountpoint, let’s discuss using the feature on files and directories. We will be using two commands: setfacl(1) to set ACL information and getfacl(1) to display the ACL information. For this guide we will create a file for testing purposes.
# echo "My file" > file.txt
We can view the current ACL information on the file.txt by using getfacl.
getfacl file.txt #file:file.txt #owner:1001 #group:0 user::rw- group::r-- other::r--
As you can see, there’s nothing special about the permissions yet. Just the default user, group, and other permissions. Now, let’s restrict everyone from being able to read the file, but allowing the owner and bob to.
# setfacl -m u:bob:r,o:: file.txt
Now, let’s see how that affected the regular permission listing.
# ls -l file.txt -rw-r-----+ 1 jon wheel - 8 Feb 21 00:16 file.txt
If you notice, at the end of the permissions listing, you see a plus sign (+). This indicates an ACL is set for that file/directory. Let’s view it.
getfacl file.txt #file:file.txt #owner:1001 #group:0 user::rw- user:bob:r-- group::r-- mask::r-- other::---
The breakdown is as follows: you can see the default user’s permissions of read/write, our bob permissions of only read, default group’s permissions of read, and everyone gets no privileges. You can test this by attempting to access the file.
Now, what if you wanted everyone to read and write to the file, but you don’t want bob to access it? Piece of cake. Just set new ACLs.
# setfacl -m u:bob:,o::rw file.txt
If bob tries to access the file, he will get a permission denied message. Everyone else may access it just fine.
Now that you have ACLs set on files, over time you may need to change those permissions. Perhaps remove a user from the list altogether.
# setfacl -n -x u:bob: file.txt
The permissions for bob are now removed. Now, if you wanted to remove the ACL from the file completely, use:
# setfacl -bn file.txt
All ACL permissions are removed and you can verify this with a standard listing.
ls -l file.txt -rw-r--rw- 1 jon wheel - 8 Feb 21 09:06 file.txt
You might be thinking that ACLs are pretty neat, but how can a single one be applied to several files or a directory recursively? It’s pretty simple. Just copy the ACL from one file to the next after setting up the original file.
# setfacl -m u::rwx,g::rw,o::,u:bob:r file.txt # getfacl file.txt #file:file.txt #owner:1001 #group:0 user::rwx user:test:r-- group::rw- mask::rw- other::--- # touch file2.txt # getfacl file.txt | setfacl -b -n -M - file2.txt
The ACL applied on file.txt is now applied to file2.txt as well. You can verify this with getfacl.
getfacl file.txt file2.txt #file:file.txt #owner:1001 #group:0 user::rwx user:test:r-- group::rw- mask::rw- other::--- #file:file2.txt #owner:1001 #group:0 user::rwx user:test:r-- group::rw- mask::rw- other::---
Now you are on your way to securing your files and directories on your system.