####################################

Extending Permissions with ACLs

####################################

1. ACL Support within the kernel and Filesystems

The kernel config file contains what is support whithin the kernel

# ls /boot/config-*

To find the kernel version

# uname -r

Automate the kernel support verification

# grep ACL /boot/config-${uname -r}

With support in the kernel, no need to support in filesystem

$ sudo tune2fs -l /dev/sdb6 | grep -i default

Default mount options: user_xattr acl
Default directory hash: half_md4

2. Listing Filesystems ACLs

The dot "." at the end permission right in "ls -l" indicates ACL support
"+" symbol would indicates ACL configuration on file or dir
Get the ACL configured
$ getfacl part.sh
# file: part.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

ACL will add more permission than default

We can set ACL on directory instead of the file for the file to inherit

3. Setting Default ACLs

$ mkdir test-acl
$ ls -ld test-acl/
drwxrwxr-x. 2 hux hux 6 23 juin 21:12 test-acl/
$ getfacl test-acl/
# file: test-acl/
# owner: hux
# group: hux
user::rwx
group::rwx
other::r-x

Set default ACL for the directory

$ setfacl -m d:o:--- test-acl/
# file: test-acl/
# owner: hux
# group: hux
user::rwx
group::rwx
other::r-x
 default:user::rwx
default:group::rwx
default:other::---

Options:
-m: modify ACL
d:o:-- (d = default, o = other, --- = (permission code)

This ACL is not for the dir but for new files created whithin the dir
"ls -l" will now the "+" symbol

$ ls -ld test-acl/
drwxrwxr-x+ 2 hux hux 32 23 juin 21:24 test-acl/

Add addition element to default element

$ setfacl -dm u:bob:rw test-acl/ # user bob might exist on the system

See the ACL

$ getfacl test-acl/
# file: test-acl/
# owner: hux
# group: hux
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:bob:rw-
default:group::rwx
default:mask::rwx
default:other::---

Create a new file and look at the ACL

$ touch test-acl/file2

$ ls -l test-acl/
total 0
-rw-rw----. 1 hux hux 0 23 juin 21:18 file1
-rw-rw----+ 1 hux hux 0 23 juin 21:24 file2

4. Adding ACL entries

[root@server1 ~]# mkdir /work
[root@server1 ~]#
[root@server1 ~]# ls -ld work
ls: impossible d'accéder à work: Aucun fichier ou dossier de ce type
[root@server1 ~]#
[root@server1 ~]# ls -ld /work
drwxr-xr-x. 2 root root 6 23 juin 21:36 /work
[root@server1 ~]#
[root@server1 ~]# chmod o= /work/
[root@server1 ~]#
[root@server1 ~]# su - hux
Dernière connexion : vendredi 23 juin 2023 à 21:01:06 CEST de 10.201.86.1 sur
pts/1
[hux@server1 ~]$
[hux@server1 ~]$ cd /work/
-bash: cd: /work/: Permission non accordée
[hux@server1 ~]$
[hux@server1 ~]$ exit
 déconnexion
[root@server1 ~]#
[root@server1 ~]# setfacl -m u:hux:rx /work/
[root@server1 ~]#
[root@server1 ~]# getfacl /work/
getfacl : suppression du premier « / » des noms de chemins absolus
# file: work/
# owner: root
# group: root
user::rwx
user:hux:r-x
group::r-x
mask::r-x
other::---

[root@server1 ~]# su - hux

Dernière connexion : vendredi 23 juin 2023 à 21:37:37 CEST sur pts/1
[hux@server1 ~]$ cd /work/
[hux@server1 work]$ touch test
touch: impossible de faire un touch « test »: Permission non accordée
[hux@server1 work]$ ls -l
total 0
[hux@server1 work]$

[root@server1 ~]# setfacl -m u:hux:rw /work/file1

[root@server1 ~]#
[root@server1 ~]# su - hux
Dernière connexion : vendredi 23 juin 2023 à 21:39:35 CEST sur pts/1
[hux@server1 ~]$
[hux@server1 ~]$ cd /work/
[hux@server1 work]$
[hux@server1 work]$ echo hello >> file1
[hux@server1 work]$
[hux@server1 work]$ cat file1
file1
hello
[hux@server1 work]$ cat file2
cat: file2: Permission non accordée
[hux@server1 work]$

5. Remove ACLs

Remove individual entry

# cd /work/
# setfacl -x u:hux file1
# ls -l
total 8
-rw-r-----+ 1 root root 12 23 juin 21:44 file1
-rw-r-----. 1 root root 6 23 juin 21:42 file2
# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::---
Remove all entries
# setfacl -b file1

Options:
-x : remove individual entries
-b : delete the entire ACL