Easy Ways to Manage Access Control List (ACL) on Linux
August 8, 2022
There are many challenges in managing Linux in a modern business environment, including that we must be able to manage who has access to information or what is commonly called the Access Control List. To do that, you can use basic linux filesystem permissions.
There are many challenges in managing Linux in a modern business environment, including that we must be able to manage who has access to information or what is commonly called the Access Control List. To do that, you can use basic linux filesystem permissions.
Review Basic Linux Permissions
There are 3 types of permissions on Linux filesystems, here is a simple explanation:
- U ser or user owner
- G roup or owner group
- O ther or someone other than above
Of the three types of permissions above, each can be given 3 types of access, namely:
- R ead
- W rite
- e X ecute
For example there is a directory containing files from the development department with the following permissions:
drwxrwxr-x 2 development development 6 Jan 8 15:13
From the above example, the development user (owner user) can read and write to the directory. Members of the development group (or owner group) can also read and write directories, while other people or others cannot write. For the record, the above example allows other to read or view the directory contents.
Linux Access Control List (ACL)
In certain situations, basic permissions can be tricky because each file and directory can only have one user and one group owner at a time. This type of situation can be resolved by Linux Access Control Lists (ACLs).
ACLs make it possible to apply a more specific set of permissions to a file or directory without changing ownership and permissions.
Set ACLs
This section discusses using the Access Control List or ACL on Linux. This allows an easier time to set up permissions for automated tasks such as implementing web applications.
Make sure the ACL is installed, if you haven't already run the command sudo apt install acl.
In this case it will show the ACL setting on the directory. These ACL permissions can be inherited by the parent directories. Setting the default ACL for a location is very effective, as it ignores the need to always reset user / group permissions after any file operation (eg creating a new file).
Viewing ACLs
To be able to see the current ACL in a specific directory use the command getfacl:
# getfacl /var/www
Installing ACLs
The syntax for setting an ACL looks like this:
setfacl [option] [action/specification] file
Set ACLs for specific users and directories:
# setfacl -R -m u:johndoe:rwx /var/www
Syntax description above:
setfacl: Set ACL-R: Recursive into files and directories-m: Modifying ACLs (-x for removing)u:johndoe:rwx: User johndoe will getrwxpermissions/var/www: Gives permissions to directory/var/www
Set ACLs for groups in a specific directory:
# setfacl -R -m g:www-data:rwx /var/www
Syntax description above:
g:www-data:rwx: Members of thewww-datagroup getrwxpermissions
Removes ACLs
# setfacl -x g:www-data /var/www
Syntax description above:
-x: Delete ACL's forg:www-datain/var/www
Sample case
To better understand, below is a case example in implementing a web application. There are 2 users with different permissions. Also read how to configure the initial server for deploying web applications here.
Create User
Create the first user named jane and add it to the sudo group to be able to perform the sudo command.
# adduser jane
# usermod -a -G sudo jane
The second user is named bob, bob is the user who can deploy the website and is a member of the www-data group.
# adduser bob
# usermod -a -G www-data bob
To make sure the files in the web root belong to the group of www-data, run the command below. This is not required for ACL permissions, but is done for consistency.
# chown -R www-data:www-data /var/www
Use of ACLs
Users will be granted permission to read/write/execute files and directories using ACLs instead of basic Linux permissions.
See set ACL by default, this is separate from basic user/group permissions.
# getfacl /var/www
Next, give jane user permission to change the web files in the /var/www directory. Jane doesn't technically need this, as she can use the sudo command.
# setfacl -R -m u:jane:rwx /var/www
Above specifies the ACL for an existing file or directory, here it will recursively (-R) set the default (-d flag) for future files or directories.
# setfacl -Rd -m u:jane:rwx /var/www
Check the command above has been added successfully
# getfacl /var/www
The previous two commands can be combined to set defaults and permissions:
setfacl -R -m u:jane:rwx,d:u:jane:rwx /var/www
Next, grant group-based permissions via ACLs to web files. This more efficient way for the user allows editing of web files, regardless of who owns the files as long as they are members of the group.
# setfacl -R -m g:www-data:rwx /var/www
Or use default (-d) for the future
# setfacl -Rd -m g:www-data:rwx /var/www
If so, now TIAP USER who is a member of the www-data group can edit files in the /var/www directory. To make sure the ACL is checked by running the following command:
# getfacl /var/www
That's it! We can also read articles from the Redhat website about ACL here.
Credits:
- icon: designed by Smashicons from Flaticon