Saturday, October 27, 2012

Create And Manage ACL (Access Control List) in Linux (RedHat, CentOS, Fedora, SELinux)

Hello everyone,
ACLs can be configured to override basic file permissions such as read, write, and execute (rwx). With power of ACL, you can limit, deny, or grant the number of users and groups to specific files and directories. For example, if you run "chmod o+r text.txt" command, you give read access to all other users for your file(text.txt). But you gave access to all other users! What about just giving read access to two users and deny all other users? With ACL, you are able to do that.
The regular ugo/rwx permissions are the first level of access control. ACLs are the second level of access control. Therefore, whatever you can do with basic file permission, you can do with ACL plus more options, which boost your power in permissions. For instance, look at the result of running getfacl and ls -l commands in Figure 1. They are the same:

                                                                      Figure 1

To configure ACL, you need to do 3 steps:
  1. Configure the appropriate filesystem with the acl option
  2. Configure ACLs with desired permissions for appropriate users
  3. Set up execute permissions on the associated directories

 Configure an appropriate filesystem with the acl option:

In order to configure ACLs, We need to mount the associated filesystem with ACL attribute. For example, I want to configure the root directory (/) with ACL attribute. If I run  the mount command, I will see the following output (Figure 2)

                                                                      Figure 2

I can remount it with ACL using the following command:

mount -o remount -o acl /dev/mapper/vg_slkhosro-lv_root /
If I run the mount command again, I will see the following output (Figure 3) with added ACL attribute:

                                                                     Figure 3

I edited the /etc/fstab and added the ACL attribute to root (/) to make sure the ACL attribute will be there by next reboot (Figure 4):

                                                                     Figure 4

After editing the /etc/fstab file, you can activated immediatly by running this command: 
mount -o remount /

Manage ACLs for a file:

I just switched to root and make a file in /root directory: touch acltest.txt
So, the user's owner of this file is root, which has read and write permission. Now, the owner of file and root user, which both are the same in this case, can give access to other users or user with following command:

setfacl -m u:Khosro:rwx /root/acltest.txt

I gave read, write, and execute permission to only Khosro user. So, the owner of file and Khosro have read and write permissions. Khosro has also execute permission.
Figure 5 shows the output of getfacl command before and after running the setfacl command on the acltest.txt file:

                                                                      Figure 5

The setfacl command can be used with groups. the following command would give read privileges to users who are members of NorthAmerica_Branch group:

setfacl -m g:NorthAmerica_Branch:r-- /root/acltest.txt

The following command deletes the previously configured privileges for user Khosro with the -x switch:

setfacl -x u:Khosro /root/acltest.txt

The following command, with the -b switch, will remove all ACLs for all users:

setfacl -b /root/acltest.txt

Pay attention about "other" users. The following command
setfacl -m o:rwx /root/acltest.txt
gives read, write, and execute permission to other users for /root/acltest.txt. But, you cannot use -x or -b switches to remove such changes (Figure 6). The only way to remove this ACL is either the following command:
setfacl -m o:--- /root/acltest.txt
chmod o-rwx /root/acltest.tx


                                                                            Figure 6


Set up execute permissions on the associated directories:

Now, the only file permission is not enough for user Khosro to access the acltest.txt file because Khosro doesn't have access to /root directory. So, if Khosro runs ls /root/ command, he will get the Permission Denied error message (Figure 7)

                                                                             Figure 7

using "chmod 701 /root" command can fix that issue BUT it has a security issue which gives execute access to all other users even though other users cannot read and write. This is not a good idea at all. To address this, we should give execute and only execute access to the user Khosro for that particular directory with following command:

setfacl -m u:Khosro:x /root

So, user Khosro can navigate to the only /root/acltest.txt and since Khosro has rwx on acltest.txt, Khosro can do anything with acltest.txt
Figure 8 shows how user Khosro has execute access to /root directory and rwx access to /root/acltest.txt file.

                                                                           Figure 8

Sometimes, you may want to apply ACLs to all files in a directory as well as any subdirectories that may exist. In that case, the -R switch can be used to apply changes recursively:

setfacl -R -m u:Khosro:rwx /root/

To unset or remove ACLs, you can use either -x option, like:
setfacl -R -x u:Khosro /root/


you can use the -b switch; however, that would erase the ACLs configured for all users on the mentioned directory:
setfacl -R -b /root

If you want to limit permissions to specific users, you may want to use ACLs to limit access to certain files or directories. For example, the following command:

setfacl -m u:Khosro:--- /mnt/boot

will deny access to /mnt/boot directory for user Khosro. If you look at Figure 9 and 10, it denies access to test.txt file from Khosro.

                                                                                     Figure 9

                                                                                     Figure 10

You can apply the changes recursively:
setfacl -R -m u:Khosro:--- /etc        --->Deny access to files and sub-directories under /etc directory to user Khosro

The following command cancels ACL settings for that user recursively:
setfacl -R -x u:Khosro /etc

Masks on ACLs:

The mask associated with ACL limits the permission available on a file. If you look at Figure 11, Khosro has rwx permission on acltest.txt and mask is also rwx. So, if you change the mask to r, user Khosro has only read access even though getfacl command says it has rwx. Look at the #effective:r--
Figure 11,12

                                                                                  Figure 11

                                                                                  Figure 12

In other words, with a mask of --r, you can try all other privileges but all that can be set with that mask is read privileges.
And here is the command to set the mask:

setfacl -m mask:r-- acltest.txt

That's all.
Hope you enjoyed.
Khosro Taraghi


  1. PAC Supplies USA is a Shopping site in RFID key fobs, access control, safety lanyards, police lanyards, access control , blue bamboo printer, belt clips, plastic card holder, magnetic card readers, rugged tablets, mifare cards, 125 kHz cards.

  2. This is nice blog I read it. Here you can try this like below
    [root@hostname~]#tune2fs -l /dev/sda1 //for check default mount option
    root@hostname~]#tune2fs -o +acl /dev/sda1 //for add default mount option to remove use -acl
    When partition create on OS installation that set default ACL also.
    You can get some information from this link below since you are interest on open source

  3. file access control

    Add file access control and file IOs monitor to your windows application with Windows file system mini filter driver component in C#, C++ demo source code to implement your file security solution