6.3 Using ACL’s to Grant and Limit Access

So unless you only need to add a user and a group we are fine. But if you need more complex access control, we can use the access control list known as ACL.

The ACL Question

We will create a directory for users from several groups to work in.

Start from your machine as root The following users must exist and have password greater

  • rick

  • morty

  • summer

  • president

The following group must exist:

  • science

  • government

The president is part of the government group. Rick, morty and summer should still be part of the science group.

Create the following directory and the following rules must apply:

  • /shared/garage

The directory is owned by the science group and they do science there. The government wants to colaborate with the science group.

However, after several botched experiments it’s determined that morty is to dumb to do science and will be an honorary member without any rights to work on the directory but still be part of the group.

To sum up the directory must be:

  • rwx for science group.

  • morty must have no rights.

  • r for the government group.

  • no other access rights.

  • owner and group of the directory stays root

You will have to add and adjust the ACL (Access Control List) rights to the directory until we have a cooperative directory. We will be using the command setfacl for this which means set file access control list.

Setting up a collaborative directory for multiple users

First lets add the science group to the ACL by using the -m for modify:

setfacl -m g:science:rwx /shared/garage/

If you add the R to the command like this:

setfacl -Rm g:science:rwx /shared/garage/

It will push the changes to all files and directorys in the garage directory Recursively.

You can check your results with getfacl (get file access control list):

getfacl /shared/garage

Now let’s change the default rights so that new directorys and files inherent the ACL from the parent directory. This is done by adding the d: before the regular syntax.

setfacl -m d:g:science:rwx /shared/garage/

Morty has been banned to work on science, so we will remove his rights specifically.

setfacl -m u:morty:- /shared/garage/

Morty must NEVER have any rights ever again to anything new created.

setfacl -m d:u:morty:- /shared/garage/

The government wants to see the science being done.

setfacl -m g:government:r /shared/garage

This also needs to be inherited by any child directories or files.

setfacl -m d:g:government:r /shared/garage

And let’s remove any rights for the other users (by adding the ; we can put 2 separate commands on 1 line).

setfacl -m o::- /shared/garage; setfacl -m d:o:- /shared/garage

Now let’s check the results:

getfacl /shared/garage

Example:

[root@rhcsa shared]# getfacl /shared/garage
getfacl: Removing leading '/' from absolute path names
# file: shared/garage
# owner: root
# group: root
user::rwx
user:morty:---
group::r-x
group:science:rwx
group:goverment:r--
mask::rwx
other::---
default:user::rwx
default:user:morty:---
default:group::r-x
default:group:science:rwx
default:mask::rwx
default:other::---