Access Control Lists. Beyond POSIX permissions Campus-Booster ID : **XXXXX. Copyright SUPINFO. All rights reserved

Access Control Lists Beyond POSIX permissions Campus-Booster ID : **XXXXX www.supinfo.com Copyright SUPINFO. All rights reserved

Access Control Lists Your trainer Presenter s Name Title: **Enter title or job role. Accomplishments: **What makes the presenter qualified to present this course. Education: **List degrees if important. Publications: **Writings by the presenter on the subject of the course or presentation. Contact: **Campus-Booster ID: presenter@supinfo.com

Access Control Lists Course objectives By completing this course, you will: n Know what ACL s really are. Fine-grained permissions model. n Define complex permission schemes. When POSIX permissions are helpless. n Create inherited entries. Using default ACL s.

Access Control Lists Course topics Course s plan : n About ACL's. Overcome POSIX permissions limitations. n ACL structure. How do it looks like? n Working with ACL's. Create, Retrieve, Update, Delete.

Access Control Lists About ACL s When POSIX permissions aren t enough

About ACL s Access Control Lists Extended permission sets. n POSIX Permissions n User n Groups n Others n ACL s n Same permissions n Extended control set n List of trustees n Any group(s) n Any user(s)

About ACL's Why use ACL s? A real-life example: n users group n Amanda n Bridget n John n John wants to share a document n Amanda rw- n Bridget --- n POSIX Limitation n Use ACL s to circumvent

About ACL s Enable ACL s ACL support needs to be enabled. n Kernel support n CONFIG_FS_POSIX_ ACL n Enabled in most(all) distros n Filesystem support n Native support n Most fs do n Mount option

About ACL's Enable ACL s To enable ACL support: n Install acl and libacl packages n Mount your filesystem with the acl option # mount / -o remount,acl

About ACL's Stop-and-think Do you have any questions?

About ACL's Stop-and-think ACLs are actived by default in your filesystem. True False

About ACL's Stop-and-think ACLs are active by default in your filesystem. True False

Access Control Lists ACL structure How do it looks like?

ACLs structure ACL Entries ACL entries format. n Regular n user:user:mode n user:sarah:rw- n group:group:mode n Default n Mask n group:uucp:r-- n default Prefix n default:group:u ucp:r n mask::mode

ACLs structure ACL Entries Access Control List example: $ getfacl afile.txt # file: afile.txt # owner: sarah # group: users user::rwuser:john:rwuser:bill:rwgroup::r group:headquarters:rwmask::rwother::r

ACLs structure Stop-and-think Do you have any questions?

Access Control Lists Working with ACL s CRUD on ACL s

Working with ACL's Setfacl invocation Setting ACL s [user@linux ~]$ setfacl [options] file or directory Options Definitions -m u:user:mode Add a user ACL -m g:group:mode -R Add a group ACL Apply operations to all files and directories recursively -b Remove (blank) all ACL entries -x aclspec Delete a specific entry

Working with ACL's Default ACL s Inherited ACL s. n On directories only n Inherited n New files n New subdirs n Implement a policy n Webmasters n rw- on any file n Prepend d: to ACL spec

Working with ACL's Mask Limitative permission set. n Set an arbitrary limit n No one can have more than r-x n Even if trustee has explicit entry n Effective permission set: trustee mode AND mask n Doesn t apply to owner (as well as ACL s) n Set: m::mode

Access Control Lists Effective = Mask & Mode Permissions Objects Read Write Execute User/Group X X Mask X X Effective X

Access Control Lists Setfacl examples root@localhost:~# setfacl -m u:supinfo:rw \ /var/www/index.php root@localhost:~# setfacl -m g:labmembers:rw \ /var/www/index.php root@localhost:~# setfacl -x u:supinfo \ /var/www/index.php root@localhost:~# setfacl -b /var/www/index.php root@localhost:~# setfacl -m d:g:webmaster:rw \ /var/www root@localhost:~# setfacl -m m::rw- /var/www

Working with ACL's Getfacl invocation Using getfacl [user@linux ~]$ getfacl [options] file or directory Options Definitions -a -d Display the file Access Control List only (no default) Display the default Access Control List only -R List the ACL of all files and directories recursively

Access Control Listss Getfacl examples n List the whole ACLs recursively from user s home: # getfacl -R /home/user/ n Display the file ACL of /var/www: # getfacl -a /var/www n Display the default ACL of /var/www: # getfacl -d /var/www

Working with ACL's Stop-and-think Do you have any questions?

Working with ACL's Stop-and-think Setfacl options: Match options and their definition. -m -b -R Apply recursivly Add ACL entrie Delete all ACLs

Working with ACL's Stop-and-think Setfacl options: Match options and their definition. -m -b -R Apply recursivly Add ACL entrie Delete all ACLs

**SUPINFO Module title Course summary Default ACL s What ACL are? Mask Extended permission model ACL structure

Access Control Lists For more If you want to go into these subjects more deeply, Publications Courses Linux Technologies: Edge Computing Linux system administration Web sites www.supinfo.com www.labo-linux.com www.blackbeltfactory.com Conferences FOSDEM RMLL Solutions Linux

Congratulations You have successfully completed the SUPINFO course module n 08 Access Control Lists

Access Control Lists The end n ACL don t work without acl mount option n Some filesystems don t have ACL support (vfat, )