RH134 - ch04s03

Bookmark this page

Securing Files with ACLs

Objectives

After completing this section, you should be able to:

Change regular ACL file permissions using setfacl.
Control default ACL file permissions for new files and directories.

Changing ACL File Permissions

Use setfacl to add, modify, or remove standard ACLs on files and directories.

ACLs use the normal file system representation of permissions, "r" for read permission, "w" for write permission, and "x" for execute permission. A "-" (dash) indicates that the relevant permission is absent. When (recursively) setting ACLs, an uppercase "X" can be used to indicate that execute permission should only be set on directories and not regular files, unless the file already has the relevant execute permission. This is the same behavior as chmod.

Adding or Modifying ACLs

ACLs can be set via the command-line using the -m option, or passed in via a file using the -M option (use "-" (dash) instead of a file name for stdin). These two options are the "modify" options; they add new ACL entries or replace specific existing ACL entries on a file or directory. Any other existing ACL entries on the file or directory remain untouched.

Note

Use the --set or --set-file options to completely replace the ACL settings on a file.

When first defining an ACL on a file, if the add operation does not include settings for the file owner, group owner, or other permissions, then these will be set based on the current standard file permissions (these are also known as the base ACL entries and cannot be deleted), and a new mask value will be calculated and added as well.

To add or modify a user or named user ACL:

[user@host ~]$ setfacl -m u:name:rX file

If name is left blank, then it applies to the file owner, otherwise name can be a username or UID value. In this example, the permissions granted would be read-only, and if already set, execute (unless file was a directory, in which case the directory would get the execute permission set to allow directory search).

ACL file owner and standard file owner permissions are equivalent; consequently, using chmod on the file owner permissions is equivalent to using setfacl on the file owner permissions. chmod has no effect on named users.

To add or modify a group or named group ACL:

[user@host ~]$ setfacl -m g:name:rw file

This follows the same pattern for adding or modifying a user ACL entry. If name is left blank, then it applies to the group owner. Otherwise, specify a group name or GID value for a named group. The permissions would be read and write in this example.

chmod has no effect on any group permissions for files with ACL settings, but it updates the ACL mask.

To add or modify the other ACL:

[user@host ~]$ setfacl -m o::- file

other only accepts permission settings. Typical permission settings for others are: no permissions at all, set with a dash (-); and read-only permissions set as usual with r. Of course, you can set any of the standard permissions.

ACL other and standard other permissions are equivalent, so using chmod on the other permissions is equivalent to using setfacl on the other permissions.

You can add multiple entries with the same command; use a comma-separated list of entries:

[user@host ~]$ setfacl -m u::rwx,g:consultants:rX,o::- file

This sets the file owner to read, write, and execute, sets the named group consultants to read-only and conditional execute, and restricts all other users to no permissions. The group owner maintains existing file or ACL permissions and other "named" entries remain unchanged.

Using getfacl as Input

You can use the output from getfacl as input to setfacl:

[user@host ~]$ getfacl file-A | setfacl --set-file=- file-B

The --set-file option accepts input from a file or from stdin. The dash character (-) specifies the use of stdin. In this case, file-B will have the same ACL settings as file-A.

Setting an Explicit ACL Mask

You can set an ACL mask explicitly on a file or directory to limit the maximum effective permissions for named users, the group owner, and named groups. This restricts any existing permissions that exceed the mask, but does not affect permissions that are less permissive than the mask.

[user@host ~]$ setfacl -m m::r file

This adds a mask value that restricts any named users, the group owner, and any named groups to read-only permission, regardless of their existing settings. The file owner and other users are not impacted by the mask setting.

getfacl shows an effective comment beside entries that are restricted by a mask setting.

Important

By default, each time one of the impacted ACL settings (named users, group owner, or named groups) is modified or deleted, the ACL mask is recalculated, potentially resetting a previous explicit mask setting.

To avoid the mask recalculation, use the -n option or include a mask setting (-m m::perms) with any setfacl operation that modifies mask-affected ACL settings.

Recursive ACL Modifications

When setting an ACL on a directory, use the -R option to apply the ACL recursively. Remember that you are likely to want to use the "X" (capital X) permission with recursion so that files with the execute permission set retain the setting and directories get the execute permission set to allow directory search. It is considered good practice to also use the uppercase "X" when non-recursively setting ACLs because it prevents administrators from accidentally adding execute permissions to a regular file.

[user@host ~]$ setfacl -R -m u:name:rX directory

This adds the user name to the directory directory and all existing files and subdirectories, setting read-only and conditional execute permissions.

Deleting ACLs

Deleting specific ACL entries follows the same basic format as the modify operation, except that ":perms" is not specified.

[user@host ~]$ setfacl -x u:name,g:name file

This removes only the named user and the named group from the file or directory ACL. Any other existing ACL entries remain active.

You can include both the delete (-x) and modify (-m) operations in the same setfacl operation.

The mask can only be deleted if there are no other ACLs set (excluding the base ACL which cannot be deleted), so it must be deleted last. The file will no longer have any ACLs and ls -l will not show the plus sign (+) next to the permissions string. Alternatively, to delete all ACL entries on a file or directory (including default ACL on directories), use the following command:

[user@host ~]$ setfacl -b file

Controlling Default ACL File Permissions

To ensure that files and directories created within a directory inherit certain ACLs, use the default ACL on a directory. You can set a default ACL and any of the standard ACL settings, including a default mask.

The directory itself still requires standard ACLs for access control because the default ACLs do not implement access control for the directory; they only provide ACL permission inheritance support. For example:

[user@host ~]$ setfacl -m d:u:name:rx directory

This adds a default named user (d:u:name) with read-only permission and execute permission on subdirectories.

The setfacl command for adding a default ACL for each of the ACL types is exactly the same as for standard ACLs, but prefaced with d:. Alternatively, use the -d option on the command line.

Important

When setting default ACLs on a directory, ensure that users will be able to access the contents of new subdirectories created in it by including the execute permission on the default ACL.

Users will not automatically get the execute permission set on newly created regular files because unlike new directories, the ACL mask of a new regular file is rw-.

Note

New files and new subdirectories continue to get their owner UID and primary group GID values set from the creating user, except when the parent directory setgid flag is enabled, in which case the primary group GID is the same as the parent directory GID.

Deleting Default ACL Entries

Delete a default ACL the same way that you delete a standard ACL, prefacing with d:, or use the -d option.

[user@host ~]$ setfacl -x d:u:name directory

This removes the default ACL entry that was added in the previous example.

To delete all default ACL entries on a directory, use setfacl -k directory.

References

acl(5), setfacl(1), and getfacl(1) man pages

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756