Monday, July 22, 2013

Configure ACL in RHEL6

ACL is extended set of permissions on files and directories that give advanced security when needed. For example you can set different permission for different user on a single file or directory. Two commands control ACLs: getfacl and setfacl. When you use the ls -l or ll command, a plus sign (+) on the side of the permission indicates ACL permission.

Step 1.  Before you can even use ACLs, however, you need to make sure that the file system has been mounted with the ACL parameter:
# mount | grep acl

If nothing is returned, it means that all currently mounted file systems do not have ACLs set up to be used. To mount the file system with the ACL option use the following command:
# mount –t ext4 -o acl,remount /dev/sda5 /data

Step 2. To verify, you can use the previous command:
# mount | grep acl
/dev/sda5 on /data type ext4 (rw,acl)

Step 3. Add the following line in your /etc/fstab file:
/dev/sda5 /data ext4 defaults,acl 1 2
Save and close the file.

Step 4. To make the changes take effect, you need to remount the file system:
# mount -o remount /data

Step 6. You can now verify that your file system has the ACL option:
# mount | grep -i acl
/dev/sda5 on /data type ext3 (rw,acl)

Exercise: To understand ACL let's look an example.
Step 1. Create a sample file (file1) on which you can test an ACL in the /data/backup directory:
#mkdir /data/backup
# cd /data/backup
#touch file1

Check default permission by using following command.
# getfacl /data/backup

Step 2. Set the test file so that user1 also has access to this file:
# setfacl -m u:user1:rwx /data/backup/file1
Where -m means modify, u means ACL for user, rwx means i want to set read, write and execute permission on user1 for file /data/backup/file1

Step 3. Now check the ACL permissions:
# getfacl /data/backup/file1

# file: file1
# owner: root
# group: root
user::rw-
user:user1:rwx
group::r--
mask::rwx
other::r--
Now login as user1 and try to modify file1 it should be modify.

Step 4. Use the setfacl command again to remove the ACL for user01:
# setfacl -x u:user1 /data/backup/file1
Notice -x is used to remove ACL.

Step 5. Verify that the ACL has been removed:
# getfacl file1
# file: file1
# owner: root
# group: root
user::rwgroup::
r--
mask:r--
other:r--

Step 6. If you have multiple ACLs set up on a single file, you can remove them all with the -b option
# setfacl -b filename

No comments:

Post a Comment