kastl_f_0945_acl_2

download kastl_f_0945_acl_2

of 18

Transcript of kastl_f_0945_acl_2

  • 8/10/2019 kastl_f_0945_acl_2

    1/18

  • 8/10/2019 kastl_f_0945_acl_2

    2/18

    Filesystem Access Control ListsRudolf KastlCurriculum Manager, Red Hat

    June 14th

    , 2013

  • 8/10/2019 kastl_f_0945_acl_2

    3/18

    ACLs !"er"ie#

    $his session #ill co"er ad"anced file s%stem&ermission features #hich ma% 'e used #hencontrolling access to files and directories(

    )ile s%stem Access Control Lists

  • 8/10/2019 kastl_f_0945_acl_2

    4/18

    ACLs Access Control Lists

    Access Control Lists allo# more com&le* fileaccess &ermissions to 'e e*&ressed(

    +!n this file, aul should ha"e read-#rite, Lauraread-onl%, grou& finance read-#rite, grou& audit read-onl%, and no'od% else should ha"e access.

    $he ls -l command #ill dis&la% a + if a file hasan ACL(

    -rw-rw-r-- + 1 rkastl rkastl 8856 May 11 16:53 file

  • 8/10/2019 kastl_f_0945_acl_2

    5/18

    ACLs Commands

    setfacl sets an ACL entr% on a file//setfacl -m u::

    setfacl -m g::

    ///or remo"es it(setfacl -x u:

    setfacl -x g:

    getfacl gets the list of ACL entries on a filegetfacl

  • 8/10/2019 kastl_f_0945_acl_2

    6/18

    ACLs *am&le

    setfacl sets an ACL entr% on a file//[root@desktopX ~]# echo hello > /tmp/test.txt[root@desktopX ~]# setfacl -m u:student:rw /tmp/test.txt[root@desktopX ~]# getfacl /tmp/test.txtgetfacl: emo!"ng lead"ng / from a$solute path names

    # f"le: tmp/test.txt# owner: root# group: rootuser::rw-user:student:rw-group::r--mask::rw-other::r--

  • 8/10/2019 kastl_f_0945_acl_2

    7/18

    ACLs *am&le

    !r remo"es the ACL entr%///[root@desktopX ~]# setfacl -x u:student /tmp/test.txt[root@desktopX ~]# getfacl /tmp/test.txtgetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/test.txt

    # owner: root# group: rootuser::rw-group::r--mask::rw-other::r--

  • 8/10/2019 kastl_f_0945_acl_2

    8/18

    ACLs recedence of &ermissions

    4 eas% ste&s, first match ta es effect and #esto&(Step Question Permission

    1 s the &rocess running as the user that is o#ner ofthe file

    ser &ermissions a&&l%

    2 oes the file ha"e an ACL entr% set for the&rocess5s user

    ser!s ACL entry a&&lies

    3 s the &rocess running as the grou& that o#ns the file, or a grou& that has a grou& ACL entr%

    Any matc"ing #roup or#roup ACL entry grantingaccess a&&lies

    4 o none of the a'o"e match ermissions for ot"er a&&lies

  • 8/10/2019 kastl_f_0945_acl_2

    9/18

    ACLs Mas

    $he ACL mas$ determines the ma*imum&ermissions for the grou& that o#ns the file andan% users or grou&s ACL entries

    ffecti"e rights are sho#n '% the getfacl command

  • 8/10/2019 kastl_f_0945_acl_2

    10/18

    ACLs Mas *am&le

    6sing the mas for re"o ing &ermissions///[root@desktopX ~]# touch /tmp/scr"pt.sh[root@desktopX ~]# setfacl -m u:student:rwx /tmp/scr"pt.sh[root@desktopX ~]# setfacl -m m::rx /tmp/scr"pt.sh[root@desktopX ~]# getfacl /tmp/scr"pt.sh

    getfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/scr"pt.sh# owner: root# group: rootuser::rw-user:student:rwx #effect"!e:r-xgroup::r--mask::r-xother::r--

  • 8/10/2019 kastl_f_0945_acl_2

    11/18

    ACLs Mas

    $he grou& &ermissions sho#n '% ls -l re&resentthe mas , not the actual o#ning grou&5s&ermissions on a file #ith ACLs/

    A c"mod command #hich tries to alter thegrou& &ermission effecti"el% alters the mas /

  • 8/10/2019 kastl_f_0945_acl_2

    12/18

    ACLs Mas

    $he mas gets recalculated #ith e"er% ne#ACL entr% set or modified unless the -n s#itchis used, so mas restrictions ha"e to 'erea&&lied/

    setfacl -n -m group::r%x script&s"7ets grou& &ermissions to read #rite and e*ecute

    #ithout recalculating the mas

  • 8/10/2019 kastl_f_0945_acl_2

    13/18

    ACLs nheritance 8 efault ACLs9

    efault ACLs on a director% allo# %ou toautomaticall% set ACL entries on files created inthat director%(

    setfacl -m d: u:: setfacl -m d: g::

  • 8/10/2019 kastl_f_0945_acl_2

    14/18

    ACLs nheritance *am&le

    Lets create a director% and set an inheritanceACL///

    [root@desktopX ~]# mkd"r /tmp/testd"r[root@desktopX ~]# setfacl -m d:u:student:rwx /tmp/testd"r[root@desktopX ~]# getfacl /tmp/testd"rgetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/testd"r# owner: root# group: rootuser::rwxgroup::r-x

    other::r-xdefault:user::rwxdefault:user:student:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x

  • 8/10/2019 kastl_f_0945_acl_2

    15/18

    ACLs nheritance *am&le

    :ith a regular file the e*ecute 'it of theinheritance rule gets stri&&ed #ith the mas ///

    [root@desktopX ~]# touch /tmp/testd"r/testf"le[root@desktopX ~]# getfacl /tmp/testd"r/testf"legetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/testd"r/testf"le# owner: root# group: rootuser::rw-user:student:rwx #effect"!e:rw-group::r-x #effect"!e:r--

    mask::rw-other::r--

  • 8/10/2019 kastl_f_0945_acl_2

    16/18

    ACLs nheritance *am&le

    A su'director% 'eha"es as e*&ected///[root@desktopX ~]# mkd"r /tmp/testd"r/su$d"r[root@desktopX ~]# getfacl /tmp/testd"r/su$d"rgetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/testd"r/su$d"r

    # owner: root# group: rootuser::rwxuser:student:rwxgroup::r-xmask::rwxother::r-xdefault:user::rwxdefault:user:student:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x

  • 8/10/2019 kastl_f_0945_acl_2

    17/18

  • 8/10/2019 kastl_f_0945_acl_2

    18/18

    $han %ou for attending!6$) L 7?7$ M RM 77 !=7

    Learn more a'out our course offerings at

    %%%&red"at&com'training