Thursday, June 14, 2012

How to Configure ACL on a directory?

$ /sbin/ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:be:00:41 brd ff:ff:ff:ff:ff:ff
    inet 165.135.239.38/24 brd 165.135.239.255 scope global eth0
    inet6 fe80::250:56ff:febe:41/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
[bhusal@valentine ~]$

------------------------------------------------------------------

Configure the ACL of a directory.

1. as a root

[root@valentine ~]# cd /tmp
[root@valentine tmp]# mkdir acl_test
[root@valentine tmp]# chmod 700 acl_test
[root@valentine tmp]#

2. as a normal user

[bhusal@valentine ~]$ cd /tmp/acl_test/
-bash: cd: /tmp/acl_test/: Permission denied
[bhusal@valentine ~]$

3. as a root,

[root@valentine tmp]# getfacl acl_test
# file: acl_test
# owner: root
# group: root
user::rwx
group::---
other::---

[root@valentine tmp]#

4. as a root user,

add an extended ACL using the following command as a root.

[root@valentine tmp]# setfacl -m u:bhusal:rwx acl_test/

now, display the extended ACL of the directory,

[root@valentine tmp]# getfacl acl_test
# file: acl_test
# owner: root
# group: root
user::rwx
user:bhusal:rwx
group::---
mask::rwx
other::---

[root@valentine tmp]#


5. now, try as a normal user,

[bhusal@valentine ~]$  cd /tmp/acl_test/
[bhusal@valentine acl_test]$


------------------------------------------

Configure default ACL for a directory


6. as a root,

[root@valentine acl_test]# touch without_default_acl
[root@valentine acl_test]# getfacl without_default_acl
# file: without_default_acl
# owner: root
# group: root
user::rw-
group::---
other::---

[root@valentine acl_test]#

you see, no default ACL of the parent directory was assigned to the file..

now, set the default ACL for the acl_test directory.

[root@valentine acl_test]# touch with_default_acl
[root@valentine acl_test]# getfacl with_default_acl
# file: with_default_acl
# owner: root
# group: root
user::rw-
user:bhusal:rw-
group::---
mask::rw-
other::---

[root@valentine acl_test]# ls -l
total 8
-rw-rw----+ 1 root root 0 Jun 14 15:09 with_default_acl
-rw-------  1 root root 0 Jun 14 15:07 without_default_acl
[root@valentine acl_test]#


7. Delete an ACL

[root@valentine acl_test]# setfacl -x u:bhusal with_default_acl

Display the acl,

[root@valentine acl_test]# getfacl with_default_acl
# file: with_default_acl
# owner: root
# group: root
user::rw-
group::---
mask::---
other::---

[root@valentine acl_test]#


8. now, you see the ACL for the user bhusal has been removed...

View the file attributes,
[root@valentine acl_test]# ls -l
total 8
-rw-------+ 1 root root 0 Jun 14 15:09 with_default_acl
-rw-------  1 root root 0 Jun 14 15:07 without_default_acl
[root@valentine acl_test]#

9. here, you see the extended attribute "+" still on the output.
To remove all the ACLs

[root@valentine acl_test]# setfacl -b with_default_acl
[root@valentine acl_test]# ls -l
total 8
-rw------- 1 root root 0 Jun 14 15:09 with_default_acl
-rw------- 1 root root 0 Jun 14 15:07 without_default_acl
[root@valentine acl_test]#

[root@valentine acl_test]# getfacl with_default_acl
# file: with_default_acl
# owner: root
# group: root
user::rw-
group::---
other::---

[root@valentine acl_test]#

Now, you see ACL has been removed.