Live as if you were to die tomorrow. Learn as if you were to live forever.

Wednesday, 29 November 2017

Access Control List (ACL)



ACL is used to set some special permissions on files or directories. 

As we know every file or directory have permissions for owner, group and other users but if you want to provide access to any other user without modifying current permissions of file or directory, in that case we can use the ACL.


Before applying ACL we have to perform some initial check.

             1. Check if acl package is installed or not.

      2. Check ACL support for mounted file system.

      
 1. Check if acl package is installed or not.

[root@vidya ~]# yum list acl
Installed Packages
acl.x86_64                                                 2.2.49-7.el6_9.1                                                 @updates

2. Check ACL support for mounted file system

Suppose we want to set acl on /home/vidya directory, so make sure that acl is enabled on file system where /home/vidya directory is present.

[root@vidya ~]# df -h /home/vidya
Filesystem                                            Size  Used Avail Use% Mounted on
/dev/mapper/vg_94762034-lv_root     29G  6.3G   21G  24%        /

Here, we can say that /home/vidya directory is present under mount /.

Now, check if acl is enabled for / mount point.
[root@vidya ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu May 10 16:43:17 2012
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg_94762034-lv_root                                 /                       ext4    defaults,acl        1 1
UUID=0eb7c5d4-1797-4b77-84de-14983906633d      /boot                   ext4    defaults        1 2
/dev/mapper/vg_94762034-lv_swap                            swap                    swap     defaults        0 0
tmpfs                                                                          /dev/shm                tmpfs   defaults        0 0
devpts                                                                        /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                                                                             /sys                    sysfs   defaults        0 0
proc                                                                            /proc                   proc    defaults        0 0
/dev/xvde1                                                                  /top                    ext4    defaults        0 0
/dev/xvde2                                                                 swap                   swap    defaults        0 0

Now, we have added acl for / mount point. Once you add the acl remount the partition or reboot the system.

[root@vidya ~]# mount -o remount  /
[root@vidya ~]#

Now enable ACL on files and directories.

There are two commands for ACL


          1.      getfacl : getfacl command is used to check the currently set permissions. 

          2.      setfacl : setfacl command is used to set the special permissions on files and directories.

For example:
[root@vidya ~]# ls -ld /home/vidya
drwx------. 3 vidya vidya 4096 Oct  5 16:47 /home/vidya

[root@vidya ~]# getfacl /home/vidya
getfacl: Removing leading '/' from absolute path names
# file: home/vidya
# owner: vidya
# group: vidya
user::rwx
group::---
other::---
[root@vidya ~]#
Here, we see user vidya have rwx permissions on /home/vidya directory but group and others don’t have any permission.


Now, we want to provide access to swati user without modifying the actual permissions of directory /home/vidya
[root@vidya ~]# setfacl -m u:swati:rwx /home/vidya
[root@vidya ~]#

[root@vidya ~]# getfacl /home/vidya
getfacl: Removing leading '/' from absolute path names
# file: home/vidya
# owner: vidya
# group: vidya
user::rwx
user:swati:rwx
group::---
mask::rwx
other::---
Here, we will see swati user have now rwx permissions for directory /home/vidya.


Now, fire ls –ld /home/vidya and observe the permissions.


[root@vidya ~]# ls –ld /home/vidya
drwx------+ 2 vidya vidya 4096 Oct 18 23:57 /home/vidya

Note: ACL enabled directory contains + after permissions.

To Remove all ACL

Use below command to remove all ACL.
[root@vidya ~]# setfacl -b /home/vidya
[root@vidya ~]#


To remove acl for particular user use below command
[root@vidya ~]# setfacl -x u:swati /home/vidya
[root@vidya ~]#


Sunday, 23 July 2017

What is UMASK?

UMASK is User file creation mask, which is used to set default permissions for newly created files and directories.

The default maximum permissions for file is 666 because file doesn’t have execute permissions by default and the maximum permissions for directory is 777.

Check current UMASK
 To check current umask value,  just enter the umask command on terminal.

 
   Here, 0022 is the current umask value set on the system.

   These 4 values are as below:
       0
Special Permissions
       0
Owner Permissions
       2
Group Permissions
       2
Other User’s Permissions

   Now, we will calculate how newly files get default permissions.

Default file permissions – UMASK = Newly created files permissions
0666 - 0022 = 0644 (Here UMASK value is 0022 so newly created files get 0644 permissions)
Default Directory permissions – UMASK = Newly created files permissions
0777 – 0022 = 0755 (Here, UMASK value is 0022, so newly created directory get 0755 permissions)
 


How to change UMASK temporarily?  
To change umask temporarily use the below command.

 

Here, We have set 0044 as umask value.

Now, newly created files and directories will get the permissions as below

0666 - 0044 = 0622 (So 0622 should be default permissions for file)
0777 - 0044 = 0733 (So 0733 should be default permissions for directory)

Now, When ever you create new files and directories and check, you will see 622 (rw--w--w-) permissions for file and 733 (rwx-wx-wx) to directories. Check below example.

Note: You will need to open new terminal to see new umask.

Examples:
[root@p ~]# umask

0044

[root@p ~]# touch test


[root@p ~]# ls -l test

-rw--w--w-. 1 root root 0 Jul 25 19:01 test

[root@p ~]# mkdir new


[root@p ~]# ls -ld new

drwx-wx-wx. 2 root root 4096 Jul 25 19:02 new

[root@p ~]#
 
How to change UMASK permanently?

You will need to open the file .bash_profile which is present in home directory of user.
Once you open the file you will need to add the entry of umask value which you want to set.


Now, we have permanently set umask value to 0044.

Note: You will need to manually add umask 0044 in .bash_profile file.

Finally, we can say that umask is used to set the default permissions for newly created files and directories. You will get the newly permissions by subtracting default maximum permissions with umask value.