POSIX ACL’s
The term POSIX ACL suggests that this is a true POSIX (Portable Operating System Interface) standard.
Traditionally, a file object in Linux is associated with three sets of permissions. These sets assign read (r), write (w), and execute (x) permissions for the three user groups file owner, group, and other. Nine bits are used to determine the characteristics of all objects in a Linux fille system. Additionally, the set user id, set group id, and sticky bits can be set for special cases.
ACLs can be used for situations where the traditional file permission concept does not suffice. They allow the assignment of permissions to individual users or groups even if these do not correspond to the owner or the owning group. Access Control Lists are a feature of the Linux kernel and are currently supported by ReiserFS, Ext2, Ext3, JFS, and XFS. Using ACLs, complex scenarios can be realized without implementing complex permission models on the application level.
The advantages of ACLs are clearly evident in situations such as the replacement of a Windows server by a Linux server. Some of the connected workstations may continue to run under Windows even after the migration. The Linux system offers file and print services to the Windows clients with Samba. As Samba supports ACLs, user permissions can be configured both on the Linux.
server and in Windows with a graphical user interface (onlyWindows NT and later). With winbindd, it is even possible to assign permissions to users that only exist in the Windows domain without any account on the Linux server. On the server side, edit the Access Control Lists using getfacl and setfacl.
User class the conventional POSIX permission concept uses three classes of users for assigning permissions in the file system: the owner, the owning group, and other users. Three permission bits can be set for each user class, giving permission to read (r), write (w), and execute (x).
Access ACL The user and group access permissions for all kinds of file system objects (files and directories) are determined by means of access ACLs.
Default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created.
Structure
of ACL Entries
Basically, ACLs can be divided into two classes: A minimum ACL merely comprises the entries for the types owner, owning group, and other, which corresponds to the conventional permission bits for files and directories. An extended ACL exceeds this concept. It must contain a mask entry and may contain several entries for the named user and named group types.
A Directory
with Access ACL
The handling of access ACLs is demonstrated in six steps by means of the following example:
Creating a file system object (a directory in this case)
Modifying the ACL
1. Create the directory.
[root@server1~]# mkdir /acl_test
2. Set the permission 750 to /acl_test
[root@server1~]# chmod 750 /acl_test
The owner has all access permissions (read, write, execute) (7) and write access is disabled for the owning group (5). All other users are denied all kinds of access (0).
[root@server1~]# ls -ld /acl_test
drwxr-x--- 2 root accounts 4096 Dec 30 02:47 /acl_test
3. Check the initial state of the ACL and insert a new user entry and a new group entry.
[root@server1~]# getfacl /acl_test
# file: acl_test
# owner: root
# group: accounts
user::rwx
group::r-x
other::---
The
output of getfacl precisely reflects the mapping of permission bits and ACL
entries as described in ACL Entries and File Mode Permission Bits. The first
three output lines display the name, owner, and owning group of the directory.
The next three lines contain the three ACL entries owner, owning group, and other.
In fact, in the case of this minimum ACL, the getfacl command does not produce
any information you could not have obtained with ls. Your first modification of
the ACL is the assignment of read, write, and execute permissions to an
additional user jane and an additional group sales.
[root@server1~]# setfacl -m user:jane:rwx /acl_test
or
[root@server1~]# setfacl -m group:sales:rwx /acl_test
or
[root@server1~]# setfacl -m user:jane:rwx,group:sales:rwx /acl_test
The
option -m prompts setfacl to modify the existing ACL. The following argument
indicates the ACL entries to modify (several entries are separated by commas).
The final part specifies the name of the directory to which these modifications
should be applied.
4. Use the getfacl command to
take a look at the resulting ACL.[root@server1~]# getfacl /acl_test
# file: acl_test
# owner: root
# group: accounts
user::rwx
user:jane:rwx
group::r-x
group:sales:rwx
mask::rwx
other::---
5. Use the ls command to take a look at.
[root@server1~]# ls -ld /acl_test
drwxr-x---+ 2 root accounts 4096 Dec 30 02:47 /acl_test
As expected, the first column of the output contains a [+], which points to an extended ACL.
6. If you want to remove a user entry and a group entry. run the command as follows.
[root@server1~]# setfacl -x user:jane /acl_test
or
[root@server1~]# setfacl -x group:sales /acl_test
or
[root@server1~]# setfacl -x user:jane,group:sales /acl_test
Note: ACL is by default activated on the partition created at the installation time. If you create a partition after the installation of the OS ACL will not be activated. We have to activate it either by updating /etc/fstab with the (acl) in the defaults column or by running the following command.
tune2fs –o acl /dev/sdaX where ‘X’ is the partition number.
To know about the courses CLICK HERE..!!
Contact US CLICK HERE..!!
red hat linux training certification in delhi
ReplyDelete