Sunday, March 26, 2017

RHEL7- ACL by example


1. Check if file has acl assigned to.
$ ls -l acefile.txt

If there is a + sign next to permission section of the output, then the file  has a acl

2. To display details ACL of a file
# getfacl acefile.txt

3. Creating an acl

a. Assign rw access to user pradip
# setfacl -m u:pradip:rw acefile.txt
-m -> modify ACLs on the file

b. Assign group dba to have rwx permission on a file
# setfacl -m g:dba:rwx acefile.txt

c. Assign ACL to user and group at the same time.
# setfacl -m u:pradip:rw,g:dba:rwx acefile.txt

d. Assigning default acl on a direcroty
It is a best practice to assign permission to a newly created file or directory.
Existing file permising remain intake.

# setfacl -m default:u:pradip:rw /data

e. Display the permission
# getfacl /data

f. Remove the acl for the user
# setfacl -x u:pradip /data
It will only removes the acl entry for pradip. other acl info remains the same.

g. Remove all acls associated to a file
# setfacl -b acefile.txt

Note -b will remove all acls from a file.

You can also create a backup of ACLs using getfacl, and restore ACLs using setfacl command.

g. Backup acl of existing file/dir
# getfacl -R /data > /var/tmp/data-acl.bk

h. Restore the acl settings from the file
# setfacl –restore=data-acl.bk

Detail .....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[kamal@makku practice]$ touch aclfile.txt
[kamal@makku practice]$ ls -l aclfile.txt
-rw-rw-r--. 1 kamal kamal 0 Mar 26 11:10 aclfile.txt
[kamal@makku practice]$ getfacl aclfile.txt
# file: aclfile.txt
# owner: kamal
# group: kamal
user::rw-
group::rw-
other::r--

[kamal@makku practice]$ setfacl -m u:pradip:rwx aclfile.txt
[kamal@makku practice]$ getfacl aclfile.txt
# file: aclfile.txt
# owner: kamal
# group: kamal
user::rw-
user:pradip:rwx
group::rw-
mask::rwx
other::r--

[kamal@makku practice]$ setfacl -m u:bishal:--- aclfile.txt
[kamal@makku practice]$ getfacl aclfile.txt
# file: aclfile.txt
# owner: kamal
# group: kamal
user::rw-
user:pradip:rwx
user:bishal:---
group::rw-
mask::rwx
other::r--

[kamal@makku practice]$ pwd
/var/tmp/practice
[kamal@makku practice]$ su -
Password:
Last login: Sun Mar 26 09:09:58 EDT 2017 on pts/2
[root@makku ~]# id bishal
uid=1008(bishal) gid=1016(bishal) groups=1016(bishal)
[root@makku ~]# cd /var/tmp/practice/
[root@makku practice]# ls -l aclfile.txt
-rw-rwxr--+ 1 kamal kamal 0 Mar 26 11:10 aclfile.txt
[root@makku practice]# pwd
/var/tmp/practice
[root@makku practice]# cd ..
[root@makku tmp]# ls -ld practice/
drwxrwxr-x. 2 kamal kamal 4096 Mar 26 11:10 practice/
[root@makku tmp]# su - pradip
Last login: Sun Mar 26 09:07:04 EDT 2017 on tty3
[pradip@makku ~]$ cd /var/tmp/practice/
[pradip@makku practice]$ ls -l aclfile.txt
-rw-rwxr--+ 1 kamal kamal 0 Mar 26 11:10 aclfile.txt
[pradip@makku practice]$ cat >aclfile.txt
This is added by Pradip
[pradip@makku practice]$ cat aclfile.txt
This is added by Pradip
[pradip@makku practice]$ ls -l
total 56
-rw-rwxr--+ 1 kamal kamal  24 Mar 26 11:17 aclfile.txt
-rwxr--r--. 1 kamal kamal 397 Mar 12 11:53 delete_entry.sh
-rwxr--r--. 1 kamal kamal  85 Mar 12 11:53 greet.sh
-rwxr--r--. 1 kamal kamal 274 Mar 12 11:53 multivalue.sh
-rw-r--r--. 1 root  root    0 Mar 26 10:47 myacl.txt
-rw-r--r--. 1 kamal kamal 214 Mar 12 11:53 mycal.sh
-rw-r--r--. 1 kamal kamal 183 Mar 12 11:53 myeval.sh
-rwxr--r--. 1 kamal kamal  60 Mar 12 11:53 mymath.sh
-rwxr--r--. 1 kamal kamal 228 Mar 12 11:53 myname.sh
-rwxr--r--. 1 kamal kamal 314 Mar 12 11:53 mypos.sh
-rwxr--r--. 1 kamal kamal  17 Mar 12 11:53 patient.sh
-rw-r--r--. 1 kamal kamal 113 Mar 12 11:53 readval.sh
-rwxr--r--. 1 kamal kamal 224 Mar 12 11:53 rmfile.sh
-rwxr--r--. 1 kamal kamal 174 Mar 12 11:53 valpass.sh
[pradip@makku practice]$ ls -l aclfile.txt
-rw-rwxr--+ 1 kamal kamal 24 Mar 26 11:17 aclfile.txt
[pradip@makku practice]$ id pradit
id: pradit: no such user
[pradip@makku practice]$ id pradip
uid=1000(pradip) gid=1000(pradip) groups=1000(pradip),1002(admins)
[pradip@makku practice]$ su - bishal
Password:
Last login: Sat Mar 25 16:36:10 EDT 2017 on :0
[bishal@makku ~]$ cd /var/tmp
[bishal@makku tmp]$ cd practice/
[bishal@makku practice]$ ls
aclfile.txt      greet.sh       myacl.txt  myeval.sh  myname.sh  patient.sh  rmfile.sh
delete_entry.sh  multivalue.sh  mycal.sh   mymath.sh  mypos.sh   readval.sh  valpass.sh
[bishal@makku practice]$ ls -l aclfile.txt
-rw-rwxr--+ 1 kamal kamal 24 Mar 26 11:17 aclfile.txt
[bishal@makku practice]$ cat aclfile.txt
cat: aclfile.txt: Permission denied
[bishal@makku practice]$ cat >>aclfile.txt
-bash: aclfile.txt: Permission denied
[bishal@makku practice]$ su - prema
Password:
Last login: Sun Feb 26 08:52:31 EST 2017 on pts/2
[prema@makku ~]$ cd /var/tmp
[prema@makku tmp]$ cd practice/
[prema@makku practice]$ cat aclfile.txt
This is added by Pradip
[prema@makku practice]$ ls -l aclfile.txt
-rw-rwxr--+ 1 kamal kamal 24 Mar 26 11:17 aclfile.txt
[prema@makku practice]$ getfacl aclfile.txt
# file: aclfile.txt
# owner: kamal
# group: kamal
user::rw-
user:pradip:rwx
user:bishal:---
group::rw-
mask::rwx
other::r--

[prema@makku practice]$ su -
Password:
Last login: Sun Mar 26 11:16:46 EDT 2017 on pts/2
[root@makku ~]# usermod -aG kamal pradip
[root@makku ~]# usermod -aG kamal bishal
[root@makku ~]# id bishal
uid=1008(bishal) gid=1016(bishal) groups=1016(bishal),1013(kamal)
[root@makku ~]# su - bishal
Last login: Sun Mar 26 11:18:43 EDT 2017 on pts/2
[bishal@makku ~]$ cd /var/tmp/practice/
[bishal@makku practice]$ cat aclfile.txt
cat: aclfile.txt: Permission denied
[bishal@makku practice]$ ls -l aclfile.txt
-rw-rwxr--+ 1 kamal kamal 24 Mar 26 11:17 aclfile.txt
[bishal@makku practice]$ id
uid=1008(bishal) gid=1016(bishal) groups=1016(bishal),1013(kamal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[bishal@makku practice]$ pwd
/var/tmp/practice
[bishal@makku practice]$ ls
aclfile.txt      greet.sh       myacl.txt  myeval.sh  myname.sh  patient.sh  rmfile.sh
delete_entry.sh  multivalue.sh  mycal.sh   mymath.sh  mypos.sh   readval.sh  valpass.sh
[bishal@makku practice]$ ls -l
total 56
-rw-rwxr--+ 1 kamal kamal  24 Mar 26 11:17 aclfile.txt
-rwxr--r--. 1 kamal kamal 397 Mar 12 11:53 delete_entry.sh
-rwxr--r--. 1 kamal kamal  85 Mar 12 11:53 greet.sh
-rwxr--r--. 1 kamal kamal 274 Mar 12 11:53 multivalue.sh
-rw-r--r--. 1 root  root    0 Mar 26 10:47 myacl.txt
-rw-r--r--. 1 kamal kamal 214 Mar 12 11:53 mycal.sh
-rw-r--r--. 1 kamal kamal 183 Mar 12 11:53 myeval.sh
-rwxr--r--. 1 kamal kamal  60 Mar 12 11:53 mymath.sh
-rwxr--r--. 1 kamal kamal 228 Mar 12 11:53 myname.sh
-rwxr--r--. 1 kamal kamal 314 Mar 12 11:53 mypos.sh
-rwxr--r--. 1 kamal kamal  17 Mar 12 11:53 patient.sh
-rw-r--r--. 1 kamal kamal 113 Mar 12 11:53 readval.sh
-rwxr--r--. 1 kamal kamal 224 Mar 12 11:53 rmfile.sh
-rwxr--r--. 1 kamal kamal 174 Mar 12 11:53 valpass.sh
[bishal@makku practice]$ cat >>rmfile.sh
-bash: rmfile.sh: Permission denied
[bishal@makku practice]$ logout
[root@makku ~]# pwd
/root
[root@makku ~]# cd /var/tmp/practice/
[root@makku practice]# chmod 764 rmfile.sh
[root@makku practice]# ls -l rmfile.sh
-rwxrw-r--. 1 kamal kamal 224 Mar 12 11:53 rmfile.sh
[root@makku practice]# logout
[prema@makku practice]$ su -
Password:
[prema@makku practice]$ su - bishal
Password:
Last login: Sun Mar 26 11:20:35 EDT 2017 on pts/2
[bishal@makku ~]$ cd /var/tmp/practice/
[bishal@makku practice]$ more rmfile.sh
#!/bin/bash
# Kamal
# Date
# Removes newly added users
#

cp /etc/passwd /var/tmp/passwd
egrep -v "pradip|john|kamal|ram|jay|rim" /var/tmp/passwd > /var/tmp/mypasswd
mv /var/tmp/mypasswd /var/tmp/passwd
cat /var/tmp/passwd
[bishal@makku practice]$ ls -l rmfile.sh
-rwxrw-r--. 1 kamal kamal 224 Mar 12 11:53 rmfile.sh
[bishal@makku practice]$ cat >>rmfile.sh
#EOF
[bishal@makku practice]$ cat rmfile.sh
#!/bin/bash
# Kamal
# Date
# Removes newly added users
#

cp /etc/passwd /var/tmp/passwd
egrep -v "pradip|john|kamal|ram|jay|rim" /var/tmp/passwd > /var/tmp/mypasswd
mv /var/tmp/mypasswd /var/tmp/passwd
cat /var/tmp/passwd
#EOF
[bishal@makku practice]$ cat >>rmfile.sh ^C
[bishal@makku practice]$ logout
[prema@makku practice]$ pwd
/var/tmp/practice
[prema@makku practice]$ cat >>rmfile.sh
-bash: rmfile.sh: Permission denied
[prema@makku practice]$ ls -ltr
total 56
-rwxr--r--. 1 kamal kamal  85 Mar 12 11:53 greet.sh
-rwxr--r--. 1 kamal kamal 397 Mar 12 11:53 delete_entry.sh
-rwxr--r--. 1 kamal kamal 174 Mar 12 11:53 valpass.sh
-rw-r--r--. 1 kamal kamal 113 Mar 12 11:53 readval.sh
-rwxr--r--. 1 kamal kamal  17 Mar 12 11:53 patient.sh
-rwxr--r--. 1 kamal kamal 314 Mar 12 11:53 mypos.sh
-rwxr--r--. 1 kamal kamal 228 Mar 12 11:53 myname.sh
-rwxr--r--. 1 kamal kamal  60 Mar 12 11:53 mymath.sh
-rw-r--r--. 1 kamal kamal 183 Mar 12 11:53 myeval.sh
-rw-r--r--. 1 kamal kamal 214 Mar 12 11:53 mycal.sh
-rwxr--r--. 1 kamal kamal 274 Mar 12 11:53 multivalue.sh
-rw-r--r--. 1 root  root    0 Mar 26 10:47 myacl.txt
-rw-rwxr--+ 1 kamal kamal  24 Mar 26 11:17 aclfile.txt
-rwxrw-r--. 1 kamal kamal 229 Mar 26 11:23 rmfile.sh
[prema@makku practice]$ getfacl aclfile.txt
# file: aclfile.txt
# owner: kamal
# group: kamal
user::rw-
user:pradip:rwx
user:bishal:---
group::rw-
mask::rwx
other::r--

[prema@makku practice]$
[kamal@makku practice]$ touch userdata.txt
[kamal@makku practice]$ getfacl aclfile.txt
# file: aclfile.txt
# owner: kamal
# group: kamal
user::rw-
user:pradip:rwx
user:bishal:---
group::rw-
mask::rwx
other::r--

[kamal@makku practice]$ getfacl aclfile.txt | setfacl --set-file=- userdata.txt
[kamal@makku practice]$ getfacl userdata.txt
# file: userdata.txt
# owner: kamal
# group: kamal
user::rw-
user:pradip:rwx
user:bishal:---
group::rw-
mask::rwx
other::r--

[kamal@makku practice]$ pwd
/var/tmp/practice
[kamal@makku practice]$ cd ..
[kamal@makku tmp]$ ls -ld practice/
drwxrwxr-x. 2 kamal kamal 4096 Mar 26 11:29 practice/
[kamal@makku tmp]$ getfacl practice
# file: practice
# owner: kamal
# group: kamal
user::rwx
group::rwx
other::r-x

[kamal@makku tmp]$ setfacl -m g:prema:rw practice/
[kamal@makku tmp]$ getfacl practice
# file: practice
# owner: kamal
# group: kamal
user::rwx
group::rwx
group:prema:rw-
mask::rwx
other::r-x

[kamal@makku tmp]$ su - prema
Password:
Last login: Sun Mar 26 11:19:28 EDT 2017 on pts/2
[prema@makku ~]$ cd /var/tmp/practice/
-bash: cd: /var/tmp/practice/: Permission denied
[prema@makku ~]$ logout
[kamal@makku tmp]$ setfacl -R -m u:prema:rw practice/
setfacl: practice//myacl.txt: Operation not permitted
[kamal@makku tmp]$ pwd
/var/tmp
[kamal@makku tmp]$ su -
Password:
Last login: Sun Mar 26 11:19:57 EDT 2017 on pts/2
[root@makku ~]# cd /var/tmp
[root@makku tmp]# setfacl -R -m u:prema:rw practice/
[root@makku tmp]# logout
[kamal@makku tmp]$ pwd
/var/tmp
[kamal@makku tmp]$ su - prema
Password:
Last login: Sun Mar 26 11:33:52 EDT 2017 on pts/2
[prema@makku ~]$ cd /var/tmp/practice/
-bash: cd: /var/tmp/practice/: Permission denied
[prema@makku ~]$ ls -ld /var/tmp/practice/
drwxrwxr-x+ 2 kamal kamal 4096 Mar 26 11:29 /var/tmp/practice/
[prema@makku ~]$ getfacl /var/tmp/practice
getfacl: Removing leading '/' from absolute path names
# file: var/tmp/practice
# owner: kamal
# group: kamal
user::rwx
user:prema:rw-
group::rwx
group:prema:rw-
mask::rwx
other::r-x

[prema@makku ~]$ id prema
uid=1009(prema) gid=1017(prema) groups=1017(prema)
[prema@makku ~]$ ls -ld /var/tmp/practice/
drwxrwxr-x+ 2 kamal kamal 4096 Mar 26 11:29 /var/tmp/practice/
[prema@makku ~]$ pwd
/home/prema
[prema@makku ~]$ cd /var/tmp/practice/
-bash: cd: /var/tmp/practice/: Permission denied
[prema@makku ~]$
[prema@makku ~]$ logout
[kamal@makku tmp]$ setfacl -m g:prema:rwx practice/
[kamal@makku tmp]$ getfacl practice/
# file: practice/
# owner: kamal
# group: kamal
user::rwx
user:prema:rw-
group::rwx
group:prema:rwx
mask::rwx
other::r-x

[kamal@makku tmp]$ logout
[pradip@makku practice]$ su - prema
Password:
Last login: Sun Mar 26 11:35:38 EDT 2017 on pts/2
[prema@makku ~]$ cd /var/tmp/practice/
-bash: cd: /var/tmp/practice/: Permission denied
[prema@makku ~]$ getfacl /var/tmp/practice/
getfacl: Removing leading '/' from absolute path names
# file: var/tmp/practice/
# owner: kamal
# group: kamal
user::rwx
user:prema:rw-
group::rwx
group:prema:rwx
mask::rwx
other::r-x

[prema@makku ~]$ logout
[pradip@makku practice]$ su -
Password:
Last login: Sun Mar 26 11:35:14 EDT 2017 on pts/2
[root@makku ~]# setfacl -m user:prema:rwx /var/tmp/practice/
[root@makku ~]# logout
[pradip@makku practice]$ su -
Password:
Last login: Sun Mar 26 11:39:42 EDT 2017 on pts/2
[root@makku ~]# su - prema
Last login: Sun Mar 26 11:39:11 EDT 2017 on pts/2
[prema@makku ~]$ cd /var/tmp/practice/
[prema@makku practice]$ ls
aclfile.txt      multivalue.sh  myeval.sh  mypos.sh    rmfile.sh
delete_entry.sh  myacl.txt      mymath.sh  patient.sh  userdata.txt
greet.sh         mycal.sh       myname.sh  readval.sh  valpass.sh
[prema@makku practice]$

Remove ACL
[prema@makku practice]$ setfacl -x u:prema,g:prema /var/tmp/practice/
setfacl: /var/tmp/practice/: Operation not permitted
[prema@makku practice]$ id
uid=1009(prema) gid=1017(prema) groups=1017(prema) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[prema@makku practice]$ logout
[root@makku ~]# su - kamal
Last login: Sun Mar 26 11:29:17 EDT 2017 on pts/2
[kamal@makku ~]$ cd /var/tmp
[kamal@makku tmp]$ setfacl -x u:prema,g:prema /var/tmp/practice/
[kamal@makku tmp]$ getfacl practice/
# file: practice/
# owner: kamal
# group: kamal
user::rwx
group::rwx
mask::rwx
other::r-x

[kamal@makku tmp]$


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)