You are not logged in.

Pages: 1

#1 2008-06-30 05:27:58

johny
Member
From: Włocławek
Registered: 2008-06-29
Posts: 4
Website

[Wiki] ACL

=Introduction=
[b]A[/b]ccess [b]C[/b]ontroll [b]L[/b]ist provides additional, more flexible permission mechanism to file system. ACL assistance with unix basis file permission. ACL file system allow you to give permissions for any user or group to any disc resource.

=Installation=
ACL is available from the /core repositories:
 # pacman -S acl

=Configuration=

==Enabling ACL==
To enable ACL - edit '''/etc/fstab''' file and add ''acl'' attribute in options on the partition which you want to use ACL:

<pre>
# 
# /etc/fstab: static file system information
#
# <file system>        <dir>         <type>    <options>          <dump> <pass>
none                   /dev/pts      devpts    defaults            0      0
none                   /dev/shm      tmpfs     defaults            0      0

/dev/cdrom /media/cdrom   auto    ro,user,noauto,unhide   0      0
/dev/dvd /media/dvd   auto    ro,user,noauto,unhide   0      0
UUID=5de01fca-7c63-49b0-9b2b-8b1790f8428e swap swap defaults 0 0
UUID=822dd720-e35f-424c-b012-2c84b4aa265a /data reiserfs defaults 0 1
UUID=8e5259dd-26fc-411a-88e2-f38d4dc36724 /home reiserfs defaults,acl 0 1
UUID=c18f753e-0039-49bd-930f-587d48b7e083 / reiserfs defaults 0 1
UUID=f64bfc77-7958-49c5-a244-1fa2517d676f /tmp reiserfs defaults 0 1
</pre>

Save the file. Remount partition:
 # mount -o remount /home

==Set ACL==
To modify ACL use '''setfacl'' command. To add permissions use '''setfacl -m'''.

Add permissions to some user:
 # setfacl -m "u:username:permissions"
or
 # setfacl -m "u:uid:permissions"

Add permissions to some group:
 # setfacl -m "g:groupname:permissions"
or
 # setfacl -m "g:gid:permissions"

Remove all permissions:
 # setfacl -b

Remove each entry:
 # setfacl -x "entry"

To check permissions use:
 # getfacl filename

=Examples=

Set all permissions for user johny to file named "abc":
 # setfacl -m "u:johny:rwx" abc
Check permissions
 # getfacl abc

<pre>
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--
</pre>

Change permissions for user johny:
 # setfacl -m "u:johny:r-x" abc
Check permissions
 # getfacl abc

<pre>
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:r-x
group::r--
mask::r-x
other::r--
</pre>

Remove all extended ACL entries:
 # setfacl -b abc
Check permissions
 # getfacl abc

<pre>
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--
</pre>

=Increase security of your web server=

You can now add permissions to our home directory or/and site directory only to nobody user any anyone else - without "whole world" to increase your security.

Go to the home directory:
 # cd /home
Add permissions '''+x''' for nobody user on your home directory via ACL:
 # setfacl -m "u:nobody:--x" homeusername/
Now you can remove whole world rx permissions:
 # chmod o-rx homeusername/
Check our changes:
 
<pre># file: username/
# owner: username
# group: users
user::rwx
user:nobody:--x
group::r-x
mask::r-x
other::---
</pre>
As we can see others don't have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - don't have any permissions.

What do you think about that. I know that my english is very poor. I would be grateful for someone who check this text. Should I write more about that ?

Offline

#2 2008-06-30 09:01:50

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: [Wiki] ACL

Create the wiki page first, then link it here. You have posted it in code tags which makes it very difficult to read what you have written.

Offline

#3 2008-06-30 14:21:22

johny
Member
From: Włocławek
Registered: 2008-06-29
Posts: 4
Website

Re: [Wiki] ACL

http://wiki.archlinux.org/index.php/ACL

Offline

#4 2008-07-01 16:14:30

Misfit138
Misfit Emeritus
From: USA
Registered: 2006-11-27
Posts: 4,189

Re: [Wiki] ACL

Thank you for your addition.

Amiga 1000 restomod
IBM PCjr restomod
C=64 restodmod
Sauengard

Offline

#5 2008-07-01 20:08:24

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: [Wiki] ACL

My €0.02: there is some unnecessary italicising in the first line of the "Set ACL" section, and the second sentence in that line is superfluous, as it is detailed in the following examples. I would also refer users to the setfacl man page for additional information.

Offline

Pages: 1

Board footer

Powered by FluxBB