kastl_f_0945_acl_2
Transcript of kastl_f_0945_acl_2
-
8/10/2019 kastl_f_0945_acl_2
1/18
-
8/10/2019 kastl_f_0945_acl_2
2/18
Filesystem Access Control ListsRudolf KastlCurriculum Manager, Red Hat
June 14th
, 2013
-
8/10/2019 kastl_f_0945_acl_2
3/18
ACLs !"er"ie#
$his session #ill co"er ad"anced file s%stem&ermission features #hich ma% 'e used #hencontrolling access to files and directories(
)ile s%stem Access Control Lists
-
8/10/2019 kastl_f_0945_acl_2
4/18
ACLs Access Control Lists
Access Control Lists allo# more com&le* fileaccess &ermissions to 'e e*&ressed(
+!n this file, aul should ha"e read-#rite, Lauraread-onl%, grou& finance read-#rite, grou& audit read-onl%, and no'od% else should ha"e access.
$he ls -l command #ill dis&la% a + if a file hasan ACL(
-rw-rw-r-- + 1 rkastl rkastl 8856 May 11 16:53 file
-
8/10/2019 kastl_f_0945_acl_2
5/18
ACLs Commands
setfacl sets an ACL entr% on a file//setfacl -m u::
setfacl -m g::
///or remo"es it(setfacl -x u:
setfacl -x g:
getfacl gets the list of ACL entries on a filegetfacl
-
8/10/2019 kastl_f_0945_acl_2
6/18
ACLs *am&le
setfacl sets an ACL entr% on a file//[root@desktopX ~]# echo hello > /tmp/test.txt[root@desktopX ~]# setfacl -m u:student:rw /tmp/test.txt[root@desktopX ~]# getfacl /tmp/test.txtgetfacl: emo!"ng lead"ng / from a$solute path names
# f"le: tmp/test.txt# owner: root# group: rootuser::rw-user:student:rw-group::r--mask::rw-other::r--
-
8/10/2019 kastl_f_0945_acl_2
7/18
ACLs *am&le
!r remo"es the ACL entr%///[root@desktopX ~]# setfacl -x u:student /tmp/test.txt[root@desktopX ~]# getfacl /tmp/test.txtgetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/test.txt
# owner: root# group: rootuser::rw-group::r--mask::rw-other::r--
-
8/10/2019 kastl_f_0945_acl_2
8/18
ACLs recedence of &ermissions
4 eas% ste&s, first match ta es effect and #esto&(Step Question Permission
1 s the &rocess running as the user that is o#ner ofthe file
ser &ermissions a&&l%
2 oes the file ha"e an ACL entr% set for the&rocess5s user
ser!s ACL entry a&&lies
3 s the &rocess running as the grou& that o#ns the file, or a grou& that has a grou& ACL entr%
Any matc"ing #roup or#roup ACL entry grantingaccess a&&lies
4 o none of the a'o"e match ermissions for ot"er a&&lies
-
8/10/2019 kastl_f_0945_acl_2
9/18
ACLs Mas
$he ACL mas$ determines the ma*imum&ermissions for the grou& that o#ns the file andan% users or grou&s ACL entries
ffecti"e rights are sho#n '% the getfacl command
-
8/10/2019 kastl_f_0945_acl_2
10/18
ACLs Mas *am&le
6sing the mas for re"o ing &ermissions///[root@desktopX ~]# touch /tmp/scr"pt.sh[root@desktopX ~]# setfacl -m u:student:rwx /tmp/scr"pt.sh[root@desktopX ~]# setfacl -m m::rx /tmp/scr"pt.sh[root@desktopX ~]# getfacl /tmp/scr"pt.sh
getfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/scr"pt.sh# owner: root# group: rootuser::rw-user:student:rwx #effect"!e:r-xgroup::r--mask::r-xother::r--
-
8/10/2019 kastl_f_0945_acl_2
11/18
ACLs Mas
$he grou& &ermissions sho#n '% ls -l re&resentthe mas , not the actual o#ning grou&5s&ermissions on a file #ith ACLs/
A c"mod command #hich tries to alter thegrou& &ermission effecti"el% alters the mas /
-
8/10/2019 kastl_f_0945_acl_2
12/18
ACLs Mas
$he mas gets recalculated #ith e"er% ne#ACL entr% set or modified unless the -n s#itchis used, so mas restrictions ha"e to 'erea&&lied/
setfacl -n -m group::r%x script&s"7ets grou& &ermissions to read #rite and e*ecute
#ithout recalculating the mas
-
8/10/2019 kastl_f_0945_acl_2
13/18
ACLs nheritance 8 efault ACLs9
efault ACLs on a director% allo# %ou toautomaticall% set ACL entries on files created inthat director%(
setfacl -m d: u:: setfacl -m d: g::
-
8/10/2019 kastl_f_0945_acl_2
14/18
ACLs nheritance *am&le
Lets create a director% and set an inheritanceACL///
[root@desktopX ~]# mkd"r /tmp/testd"r[root@desktopX ~]# setfacl -m d:u:student:rwx /tmp/testd"r[root@desktopX ~]# getfacl /tmp/testd"rgetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/testd"r# owner: root# group: rootuser::rwxgroup::r-x
other::r-xdefault:user::rwxdefault:user:student:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x
-
8/10/2019 kastl_f_0945_acl_2
15/18
ACLs nheritance *am&le
:ith a regular file the e*ecute 'it of theinheritance rule gets stri&&ed #ith the mas ///
[root@desktopX ~]# touch /tmp/testd"r/testf"le[root@desktopX ~]# getfacl /tmp/testd"r/testf"legetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/testd"r/testf"le# owner: root# group: rootuser::rw-user:student:rwx #effect"!e:rw-group::r-x #effect"!e:r--
mask::rw-other::r--
-
8/10/2019 kastl_f_0945_acl_2
16/18
ACLs nheritance *am&le
A su'director% 'eha"es as e*&ected///[root@desktopX ~]# mkd"r /tmp/testd"r/su$d"r[root@desktopX ~]# getfacl /tmp/testd"r/su$d"rgetfacl: emo!"ng lead"ng / from a$solute path names# f"le: tmp/testd"r/su$d"r
# owner: root# group: rootuser::rwxuser:student:rwxgroup::r-xmask::rwxother::r-xdefault:user::rwxdefault:user:student:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x
-
8/10/2019 kastl_f_0945_acl_2
17/18
-
8/10/2019 kastl_f_0945_acl_2
18/18
$han %ou for attending!6$) L 7?7$ M RM 77 !=7
Learn more a'out our course offerings at
%%%&red"at&com'training