Linux Tricks and Tips

ACL is used to set some special permissions on files or directories.

As we know every file or directory have permissions for owner, group and other users but if you want to provide access to any other user without modifying current permissions of file or directory, in that case we can use the ACL.

Before applying ACL we have to perform some initial check.

1. Check if acl package is installed or not.

2. Check ACL support for mounted file system.

1. Check if acl package is installed or not.

[root@vidya ~]# yum list acl

Installed Packages

acl.x86_64 2.2.49-7.el6_9.1 @updates

2. Check ACL support for mounted file system

Suppose we want to set acl on /home/vidya directory, so make sure that acl is enabled on file system where /home/vidya directory is present.

[root@vidya ~]# df -h /home/vidya

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/vg_94762034-lv_root 29G 6.3G 21G 24% /

Here, we can say that /home/vidya directory is present under mount /.

Now, check if acl is enabled for / mount point.

[root@vidya ~]# cat /etc/fstab

# /etc/fstab

# Created by anaconda on Thu May 10 16:43:17 2012

# Accessible filesystems, by reference, are maintained under '/dev/disk'

# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

/dev/mapper/vg_94762034-lv_root / ext4 defaults,acl 1 1

UUID=0eb7c5d4-1797-4b77-84de-14983906633d /boot ext4 defaults 1 2

/dev/mapper/vg_94762034-lv_swap swap swap defaults 0 0

tmpfs /dev/shm tmpfs defaults 0 0

devpts /dev/pts devpts gid=5,mode=620 0 0

sysfs /sys sysfs defaults 0 0

proc /proc proc defaults 0 0

/dev/xvde1 /top ext4 defaults 0 0

/dev/xvde2 swap swap defaults 0 0

Now, we have added acl for / mount point. Once you add the acl remount the partition or reboot the system.

[root@vidya ~]# mount -o remount /

[root@vidya ~]#

Now enable ACL on files and directories.

There are two commands for ACL

1. getfacl : getfacl command is used to check the currently set permissions.

2. setfacl : setfacl command is used to set the special permissions on files and directories.

For example:

[root@vidya ~]# ls -ld /home/vidya

drwx------. 3 vidya vidya 4096 Oct 5 16:47 /home/vidya

[root@vidya ~]# getfacl /home/vidya

getfacl: Removing leading '/' from absolute path names

# file: home/vidya

# owner: vidya

# group: vidya

user::rwx

group::---

other::---

[root@vidya ~]#

Here, we see user vidya have rwx permissions on /home/vidya directory but group and others don’t have any permission.

Now, we want to provide access to swati user without modifying the actual permissions of directory /home/vidya

[root@vidya ~]# setfacl -m u:swati:rwx /home/vidya

[root@vidya ~]#

[root@vidya ~]# getfacl /home/vidya

getfacl: Removing leading '/' from absolute path names

# file: home/vidya

# owner: vidya

# group: vidya

user::rwx

user:swati:rwx

group::---

mask::rwx

other::---

Here, we will see swati user have now rwx permissions for directory /home/vidya.

Now, fire ls –ld /home/vidya and observe the permissions.

[root@vidya ~]# ls –ld /home/vidya

drwx------+ 2 vidya vidya 4096 Oct 18 23:57 /home/vidya

Note: ACL enabled directory contains + after permissions.

To Remove all ACL

Use below command to remove all ACL.

[root@vidya ~]# setfacl -b /home/vidya

[root@vidya ~]#

To remove acl for particular user use below command

[root@vidya ~]# setfacl -x u:swati /home/vidya

[root@vidya ~]#

UMASK is User file creation mask, which is used to set default permissions for newly created files and directories.

The default maximum permissions for file is 666 because file doesn’t have execute permissions by default and the maximum permissions for directory is 777.

Check current UMASK

To check current umask value, just enter the umask command on terminal.

Here, 0022 is the current umask value set on the system.

These 4 values are as below:

0	Special Permissions
0	Owner Permissions
2	Group Permissions
2	Other User’s Permissions

Now, we will calculate how newly files get default permissions.

Default file permissions – UMASK = Newly created files permissions

0666 - 0022 = 0644 (Here UMASK value is 0022 so newly created files get 0644 permissions)

Default Directory permissions – UMASK = Newly created files permissions

0777 – 0022 = 0755 (Here, UMASK value is 0022, so newly created directory get 0755 permissions)

How to change UMASK temporarily?
To change umask temporarily use the below command.

Here, We have set 0044 as umask value.

Now, newly created files and directories will get the permissions as below

0666 - 0044 = 0622 (So 0622 should be default permissions for file)

0777 - 0044 = 0733 (So 0733 should be default permissions for directory)

Now, When ever you create new files and directories and check, you will see 622 (rw--w--w-) permissions for file and 733 (rwx-wx-wx) to directories. Check below example.

Note: You will need to open new terminal to see new umask.

Examples:

[root@p ~]# umask

0044

[root@p ~]# touch test

[root@p ~]# ls -l test

-rw--w--w-. 1 root root 0 Jul 25 19:01 test

[root@p ~]# mkdir new

[root@p ~]# ls -ld new

drwx-wx-wx. 2 root root 4096 Jul 25 19:02 new

[root@p ~]#

How to change UMASK permanently?

You will need to open the file .bash_profile which is present in home directory of user.

Once you open the file you will need to add the entry of umask value which you want to set.

Now, we have permanently set umask value to 0044.

Note: You will need to manually add umask 0044 in .bash_profile file.

Finally, we can say that umask is used to set the default permissions for newly created files and directories. You will get the newly permissions by subtracting default maximum permissions with umask value.

Linux Tricks and Tips

Wednesday, 29 November 2017

Access Control List (ACL)

Sunday, 23 July 2017

What is UMASK?

Total Pageviews