Access Control List Linux:How Much Do You Know?

Traditional Linux networking is satisfied for most situations when employed in a network switch, router or other network devices. However, it still has some limitations such as the problem of UNIX file permissions, which affects network security. Luckily, Access Control List (ACL) has been developed, which is designed to make a flexible permission mechanism in Linux. Well, what is ACL and how to use it in Linux?

Access Control List Overview

Access Control List is a list that grants or denies permissions to the data, which tries to access services attached to that network hardware such as Gigabit Ethernet switch or router. There are several types of ACLs such as access ACL and the default ACL. The former is the access control list for a specific file or directory and the later can only be associated with a directory.

ACL provides an additional, more flexible permission mechanism for file systems. To be specific, it ensures security by blocking packets that are destined to sensitive areas in the network. Based on the protocols, it also determines the type of traffic to forward. And it is also able to deny certain users or groups access to the Internet while allowing others. What’s more, ACL can block specified traffic, which greatly helps enhance the performance of your network.

How to Use Access Control List in Linux?

Usually, there are mainly four steps for the Access Control List configuration.

Installing ACL Package

Before using ACLs for a file or directory, you should install the acl package.

# yum install acl

Configuring ACL

1.Mount the file system consisting of the file or directory with ACL support. Here is the syntax for you to mount a local ext3 file system.

# mount -t ext3 -o acl [device-name] [moun-point]

2.Use the getfacl utility to show a file’s ACL.

# mount -t ext3 -o acl /dev/mapper/volGroup00-LogVo100 /data

When a file does not have an ACL, it shows the same information as ‘ls –l’, although in a different format.

# 1s -1 test
-rw-rw-r– 1 oracle oracle 25 Mar 5 10:10 test

3.Use the setfacl utility to add or modify one or more rules in a file’s ACL.

# setfacl -m [rules] [files]

If a file has an ACL, ‘ls –l’ will display a plus sign (+) following the permission.

# 1s -1 test
-rw-rwxr–+ 1 oracle oracle 25 Mar 5 10:10 test

Remove ACLs

1.Use the “-x” option without specifying any permissions to remove rules for a user or group.

# setfacl -x u:oracle test

2.Use the “-b” option to remove ACL itself.
# setfacl -b test

Setting the Default ACLs

Add “d:” before the rule and specify a directory instead of a file name. Then the setting is completed.

What Is Linux ACL Mask and Why Does It Exist?

When setting the default ACL in a directory, some users may be confused to see “default:mask” or just “mask”. Actually, the “mask” is a mask set, which is used to mask out permissions. Except for a file owner or an “other” entry, “mask” is the maximum permission granted by access control entries for users and groups. The “default: mask” on a parent directory is also a mask setting, which is applied to things that are created within it.

Conventionally, people use the traditional Unix applications to run “chmod(…,000)”, which is expected to deny all access to a file. However, it fails unless there is a mask and the old “S_IRWXG” permissions map to it. Although having been upgraded several times, traditional Unix scripts still can’t work perfectly without a mask. In ACLS, the mask is also necessary. Without it, setting the file permissions to entry such as “000” wouldn’t affect any non-owner user or group entries and other users still have access to the object. What’s more, without a mask, other approaches have defects in granting or denying permissions to the data as well.

-bash-4.2$ 1s -d1 dir/
drwxr-x—. 2 test test 4096 oct 15 18:17 dir/
-bash-4.2$ getfacl dir
# file: dir
# owner: test
# group: test
user::rwx
group::r-x
other::—

-bash-4.2$ setfacl –m user:arif:rwf dir

-bash-4.2$ setfacl –m user:arif:rwf dir
user::rwx
user:arif:rwx
group::r-x
mask::rwx
other::—
-bash-4.2$ 1s -1d test/
drwxr-x—.2 test test 4096 Oct 15 19:12 test/

-bash-4.2$ setfacl -d –m u:arif:rwx test/

-bash-4.2$ getfacl –omit -header test
user::rwx
group::r-x
other::—
default:user::rwx
default:user:arif:rwx
default:group::r-x
default:mask::rwx
default:other::—

Conclusion

From all the above, you may have a general understanding of Access Control List Linux, Linux ACL Mask and how to use ACL in Linux. The use of ACL in the Linux OS is important to the security of the network. Recently, FS has teamed up with Cumulus to provide the N-series open networking switch. These switches are suitable for you to configure ACL, including 10GbE switch, 40GbE switch, 100GbE switch, etc.

Related Article:
Open Source vs Proprietary Software: Which Is Better?
What Are the Commonalities of Switches Supporting Cumulus Linux

Author: ingrid

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.