Join Us!

Spaces are allowed; punctuation is not allowed except for periods, hyphens, and underscores.
A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.

Login

Enter your Project Envision username.
Enter the password that accompanies your username.
Request new password

Enable Support for ACL in Debian / Ubuntu


Access Control Lists (ACLs) provide a much more flexible way of specifying permissions on a file or other object than the standard Unix user/group/owner system. Windows users get used to having the ability to create complicated access control list to files and folders because ACL support was built in NTFS file system from early beginning. Many Linux users thinks that they are limited to standard Unix permission schema, however it is not true. In Linux we can also use ACL, we just need to mount the file system with proper options. ACL are available for ext2, ext3, ext4, reiserfs and several other file systems. Since 2.6 kernel acl extension is compiled by default on Debian, Ubuntu and several other major distributions.

First we check if our kernel supports ACL's

root@nagios:/boot# cat config-2.6.32-5-amd64 | grep _ACL 
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_OCFS2_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_JFFS2_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m

Next we will install acl package, which contains two tools for modifying ACLs in Linux: setfacl and getfacl.

root@nagios:/boot# apt-get install acl 
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  acl
0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded.
Need to get 65.9 kB of archives.
After this operation, 303 kB of additional disk space will be used.
Get:1 http://ftp.debian.org/debian/ squeeze/main acl amd64 2.2.49-4 [65.9 kB]
Fetched 65.9 kB in 0s (194 kB/s)
Selecting previously deselected package acl.
(Reading database ... 24924 files and directories currently installed.)
Unpacking acl (from .../acl_2.2.49-4_amd64.deb) ...
Processing triggers for man-db ...
Setting up acl (2.2.49-4) ...

Next we check what file systems we have mounted.

root@nagios:/boot# mount 
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda7 on /home type ext3 (rw)
/dev/sda8 on /tmp type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw)
/dev/sda6 on /var type ext3 (rw)

As we can see acl is not enabled on any file system. For testing purposes we will enable acls on /dev/sda6, which is mounted as /var.

root@nagios:/boot# mount -o remount,acl /dev/sda6

We issue mount command again to confirm that remount worked

root@nagios:/boot# mount 
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda7 on /home type ext3 (rw)
/dev/sda8 on /tmp type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw)
/dev/sda6 on /var type ext3 (rw,acl)

To make that change permanent across reboots we need to edit /etc/fstab

 
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=d4977967-ac85-48db-8264-f911d8b7699f /               ext3    errors=remount-ro 0       1
# /home was on /dev/sda7 during installation
UUID=a90cca7e-3f6c-4142-ac21-8a7dcdfb53a3 /home           ext3    defaults        0       2
# /tmp was on /dev/sda8 during installation
UUID=0ba9ec0b-f8b0-4fdc-a850-2c19181ef092 /tmp            ext3    defaults        0       2
# /usr was on /dev/sda5 during installation
UUID=adbfd242-fce5-49a0-89dd-15bd71b93458 /usr            ext3    defaults        0       2
# /var was on /dev/sda6 during installation
UUID=fc79a873-a864-45ff-9537-8d6b868bc4bc /var            ext3    acl,defaults        0       2
# swap was on /dev/sda9 during installation

The change is simple and straight forward, we just add "acl," before defaults options on file system on which we would like to use access control lists.

To check if it works we just restart the server using shutdown -r now

root@nagios:~# shutdown -r now

Broadcast message from root@nagios (pts/0) (Tue Jul 19 16:58:29 2011):

The system is going down for reboot NOW!

After system was restarted, we cofirm using mount command that acl option was used for mounting /dev/sda6

root@nagios:~# mount 
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda7 on /home type ext3 (rw)
/dev/sda8 on /tmp type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw)
/dev/sda6 on /var type ext3 (rw,acl)

As we can see /dev/sda6 was mounted with acl enabled.

Now we will test acls, For managing access control lists in Linux, we basically use two commands getfacl and setfacl.

To perform below test you need to have at least two users in the system, I used root and mroot, however you can use different users.

First we create a file AclTest in folder /var/log and change the permissions so only root user can access it. Then we confirm that settings

with ls -l and getfacl

root@nagios:~# echo "ProjectEnvision" >> /var/log/AclTest 
root@nagios:~# chmod 700 /var/log/AclTest
root@nagios:~# ls -l /var/lo
local/      lock/       log/        lost+found/
root@nagios:~# ls -l /var/log/AclTest
-rwx------ 1 root root 16 Jul 19 17:32 /var/log/AclTest
root@nagios:~# getfacl /var/log/AclTest
getfacl: Removing leading '/' from absolute path names
# file: var/log/AclTest
# owner: root
# group: root
user::rwx
group::---
other::---

Next we test on different user that he actually cannot access that file

mroot@nagios:~$ cat /var/log/AclTest 
cat: /var/log/AclTest: Permission denied

Now we will add acl for user mroot which will allow him to read /var/log/AclTest

root@nagios:~# setfacl -m user:mroot:r /var/log/AclTest 
root@nagios:~# ls -l /var/log/AclTest
-rwxr-----+ 1 root root 16 Jul 19 17:32 /var/log/AclTest
root@nagios:~# getfacl /var/log/AclTest
getfacl: Removing leading '/' from absolute path names
# file: var/log/AclTest
# owner: root
# group: root
user::rwx
user:mroot:r--
group::---
mask::r--
other::---

As we can see in ls -l output + sign was added at the end, which indicates that acl is applied on that file

getfacl shows that user mroot has read permission to that file

Finally we check if mroot can read that file

mroot@nagios:~$ cat /var/log/AclTest 
ProjectEnvision

One more importand thing to note is backup and restore of ACLs. The standard backup utility for Linux system – tar is not capable for backing up acls, so either we have to use star, which is a modified version of tar or backup ACLs separately. To backup ACLs we need to use getfacl -R /filesystem command before tar. To restore we use setfacl --restore command, as in below examples:

# Before backup – remember to change /var to filesystem on which you have enabled acls

getfacl -R /var > /acl.backup

# After restore

setfacl --restore /acl.backup