Securing Files & Directories using ACLs in Linux

Our top priority is to secure and protect data from unauthorized access. We are all aware of the permissions we set using some handy Linux commands like chmod, chown & chgrp. However, these default permissions sets have some limitations and at times do not work to meet our requirements. For example, we cannot set different permissions sets for different users on the same directory or file. This is where Access Control Lists (ACLs) come into place.
 
Linux Access Control Lists
Let’s say, you have two users, ‘user1‘, and ‘user2‘. Each having a common group say ‘qhgroup’. User ‘user1‘ want that only ‘user2‘ user can read and access files owned by ‘user1‘ and no one else should have any access to that.
 
ACLs (Access Control Lists) enable us to do the above trick. These ACLs allow us to grant permissions to a user, group, and any set of users that are not in a user’s group list.

How to Check ACL Support in Linux Systems

Before proceeding, you must have support for ACLs on the current Kernel and mounted file systems.
Run the following command to check ACL Support for file system and POSIX_ACL=Y option (if there is N instead of Y, then it means Kernel doesn’t support ACL and needs to be recompiled).
 
[root@quantumhost ~]# grep -i acl /boot/config*

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_JFFS2_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y


Install Required Packages

Before starting playing with ACLs make sure that you have the required packages installed. Assuming you are on a Debian based system
 
[root@quantumhost ~]# apt-get install nfs4-acl-tools acl

 

Check Mounted File System for ACLs Support

Now, check the mounted file system that whether it is mounted with the ACL option or not. We can use ‘mount‘ command for checking the same as shown below.

[root@quantumhost ~]# mount | grep -i /dev/sda1

/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro)

 
But in our case ACL is not shown by default. So, following we have the option to remount the mounted partition using the ACL option. But, before we continue, we have one more option to make sure the partition is mounted with the ACL option or not, because for the recent system it can be integrated with the default mount option as this is in our case.
 
[root@quantumhost ~]# tune2fs -l /dev/sda1 | grep acl
Default mount options: user_xattr acl
In the above output, you can see that the default mount option already has support for ACL.
 


Before Setting Default ACLs
To determine the default ACLs for a specific file or directory, use the ‘getfacl‘ command. In the example below, the getfacl is used to get the default ACLs for a folder ‘Music‘.
 
[root@quantumhost ~]# getfacl Music/

# file: Music/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rw-

 
Setting Default ACLs
To set the default ACLs for a specific file or directory, use the ‘setfacl‘ command. In the example below, the setfacl command will set a new ACLs (read and execute) on a folder ‘Music’.
 
[root@quantumhost ~]# setfacl -m d:o:rx Music/

 
Show permissions after setting the ACLs

[root@quantumhost ~]# getfacl Music/

# file: Music/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x


How to Set New ACLs on a File

Use the ‘setfacl’ command for setting or modifying on any file or directory. For example, to give read and write permissions to user ‘user1‘ on a file.
  
# setfacl -m u:user1:rw /user1/file
 


How to Set New ACLs on a Folder

Use the ‘setfacl’ command for setting or modifying any file or directory. For example, to give readwrite and execute permissions to user ‘user1‘ on a folder recursively.
  
# setfacl -Rm u:user1:rwx /user1/folder
 


How to View ACLs

Use the ‘getfacl‘ command for viewing ACL on any file or directory. For example, to view ACL on ‘/user1/file‘ use below command.
 
# getfacl /user1/file

# file: /user1/file
# owner: user1
# group: user1
user::rwx
user:user1:rwx
group::rwx
mask::rwx
other::---


How to Remove ACLs

For removing ACL from any file/directory, we use x and b options as shown below.
 
Remove only specified ACL from file/directory;
 
# setfacl -x ACL file/directory


Removing all ACL from file/directory

# setfacl -b file/directory


Note
: After implementing ACL, you will see an extra ‘+‘ sign for ‘ls –l’ output as below.
 
[root@quantumhost user1]# ls -la

total 4
drwxrwx---+ 2 user1 user1 4096 Apr 17 17:01 file
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to ban any IP Address via .htaccess?

If someone is trying to hack your website or you want to block their IP Address, you can add this...

How to disable directory browsing using .htaccess?

For security purposes, we recommend that you disable directory browsing on your website so no one...

How to protect your .htaccess file?

For security purposes, we recommend you to prevent access to your .htaccess file from...

How to restrict directory access by IP address?

To secure your admin area from hackers, we recommend that you allow access only from a selected...

How to protect a folder with username and password in cPanel?

You can lock a directory with a password by using the cPanel Password Protected Directories...

Powered by WHMCompleteSolution