Deployment Guide: Permission Slips

By default, Linux inherited the conventional file-ownership and access-permission model used for years in Unix operating systems, but for many tasks, controlling access to files and directories using standard Unix file permissions is cumbersome and restrictive. Each file and directory has three access classes, and each access class has associated read (r), write (w), and execute (x) permission bits. If they are the owner of the file, they use permissions set for the user access class; if they belong to the same group owning the file, they use permissions set for the group; all other users fall into the other or world access class.

This model prevents administrators from having fine-grained control over file and directory access. Unix groups normally consist of tens of users--hundreds in large deployments--which doesn't leave you many options if you want to limit access. However, you can use file access control lists (ACLs) to overcome this model's limitations, which gives you the ability to control exactly which permissions are given to each user or group.

Using Linux ACLs lets you define read, write and execute permissions for specific users and groups that are not the respective owners of the file. You can control access rights to a limited group of people for all files and directories. Directories allow an additional type of ACL--called the default ACL--and when enforced, are automatically inherited by all files inside that directory. Multiple ACLs per file or directory are not allowed; each file has one ACL, which must be configured on a file-by-file basis.

Real-World ExamplesIn the Step by Step box (right), we demonstrate two examples common in the enterprise. In the first, we examine the ability to give a single user read and write permissions to a single file. The user who owns the file uses the user-class permission model familiar to Linux users. Any additional users would be granted permissions using file ACLs.

In the second example, we examine a Web site directory in which all files will inherit ACLs, so the Apache user running the site can have read access to the files, but not everyone in the other access class will. Although this limits exposure to the files within the Linux filesystem to the owner and the Apache user, all users will have access to the files through a Web browser. This setup offers no additional security, but it allows logging via Apache for all users who access the file.

Configuring Linux Filesystems

To enable ACLs to work in Linux, the filesystem must be configured and mounted with ACL support. To accomplish this on an ext3 filesystem, you must run the tune2fs on the unmounted filesystem, like this:

tune2fs -o acl /dev/sda1Or, you can mount the filesystem with ACL support via the /etc/fstab file by adding the ACL mount option:

/dev/sda1 /data ext3 defaults,acl 1 2

The setfacl command sets file-level ACLs on Linux filesystems. Users can enforce access control lists on files and directories and set directory-level ACLs inherited by files contained inside them--the default ACLs. The getfacl command shows the access control lists set for files and directories.

Supported Applications

Linux commands like cp, mv, ls and vi support access control lists in RHEL (Red Hat Enterprise Linux) 4.0. Compatible software packages will support filesystem access control lists. Apache, as demonstrated here, does support file ACLs with the version included with RHEL 4.0. The RHEL-provided samba rpm has been compiled with ACL support, so ACLs will be maintained when connecting to shares from Windows. NFS (Network File System), as delivered from Red Hat, exports ACLs and will be used if the client system supports ACLs.Pitfalls

Linux backup utilities like dump and tar do not support ACLs, but Red Hat has provided the star utility to perform effective backups of ACL mounted filesystems. Furthermore, commercial backup products may not support ACLs as well--be sure to check the documentation. The star command is similar to tar, but you'll have to refer to the man page for its particular options. Filesystems with ACL support have extended options set in the filesystem superblock--older kernels may not enforce ACLs and early versions of filesystem consistency tools like fsck will refuse to work. *

1 Using the tune2fs command, we set the logical volume data.fs to be mounted using access control lists by default. Although not required, we also edited the /etc/fstab file to mount the filesystem with ACL capability.

2 Using the setfacl command, the user cbeers grants read permission to the user nwcuser. Notice the permission bits are the familiar Unix format, but there is a + at the end of the permission bits, indicating that access control lists are used on this file. Using setfacl -m instructs setfacl to modify the current ACL. Setfacl expects ACLs in the format [u[ser]:]uid [:perms] and g[roup]:gid [:perms].

3 As the nwcuser, we are now able to read the file testfile.txt owned by cbeers using Linux access control lists. Using getfacl, you can see the permissions for read access are given to the nwcuser through an ACL. The mask line indicates the maximum permissions for named users and groups within the ACL.

Example 2

1Using the setfacl command, a default (or inherited) access control list is placed on the htdocs directory. The default ACL gives the Apache user read access to any file placed in the htdocs directory. After creating an index.html file, it inherits the default ACL placed on the directory. Changing the default ACL on the htdocs directory will automatically change all inherited ACLs on files contained in that directory.2The getfacl command shows the default access control list information for the htdocs directory. Notice there is a default ACL for the user Apache with read access. If you grant named users or groups within a directory that has default ACL, the file will use all ACLs.-->

Christopher T. Beers is a contributing editor and manager of systems operations for a large broadband ISP, where he oversees daily operations of high-speed data and VoIP for the Northeast U.S., including Solaris and Linux administration. Write to him at [email protected].