Wise people learn when they can; fools learn when they must - Arthur Wellesley

Thursday, 5 January 2017

LINUX-12 ACCESS CONTROL LIST (RHEL-7)


LINUX-12 ACCESS CONTROL LIST (RHEL-7)


Well, all regular/special permissions are done. Our files/directories can be secured by several ways. I have too many tools for that.

Now relaxed……

And then I announced my great knowledge everywhere, my boss also heard about my knowledge, and assigned a task where I supposed to create a script which can be run by 4 users and members of 6 groups.

Great, now I can implement my super knowledge and stun my boss with my skills.


What I did was,

1.  Created a script
2.  Copied to all 4 users home dir.
3.  Make them owner of that script
4.  Created 6 groups,

Till then, my boss came and asked…. Are you done…??

No sir… still some steps are left.

My boss had seen the steps I performed and told…

IT CAN NEVER BE DONE IN THIS WAY……YOU MORON...... and left,

Instead of claps what I got…??

And Why…?

Is this really can’t do with regular permissions…??

Let’s see…..

This can be done only by ACL… Then what is ACL…??
 
Access of more than one user and more than one group on one file.

ACL has some Drawbacks as well,

·         ACL settings might be lost when copying or moving files and the backup software might not be able to backup ACL settings.
·         The “tar” utility does not support ACL, instead “star” is used while dealing with ACL’s.

Commands for ACL…

#getfacl   to see ACL settings for a file or dir
#setfacl   to set / modify / substitute and delete ACL settings


Requirements to apply ACL,

·         ACL created on file system
·         File system must be prepared for ACL
·         “operation not supported” error while applying ACL
·         “acl mount” option is to be applied in mount option of “fatab”

ACL’s are categorized in two groups,

1.  Access ACL:     set on individual files and directories
2.  Default ACL:    only applied on directories

** Files and subdirectories under a parent directory with “Default ACL” set, inherit the default ACL settings.

Well, we are talking about RHEL-7 where xfs is default FS. Where ACL is enabled by default.

In fact any FS (XFS/EXT-2/Ext-4/Ext-4) on RHEL-7 have ACL’s enabled by default.

For older version’s, we need to check for compatibility,

#tune2fs –l /dev/sdc1

#mount –o remount –o acl /home

#vi /etc/fstab

/dev/sdc1  /home ext4 defaults,acl    1,2

#mount –o remount /home

[root@rhel7-server /]# getfacl testfile1
# file: testfile1
# owner: root
# group: root
user::rw-   
group::r--
other::r--

[root@rhel7-server /]# getfacl testdir1/
# file: testdir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

:: is the place where ACL perms are displayed.

SETFACL………………..

-b   removes all acl settings
-d   applies to the default acl’s
-k   removes all default acl settings
-m   sets/modifies acl settings
-R   recursive implementation of acl’s to all files and subdirectories
-x   removes particular user

User:uid:perms
Group:gid:perms
Mask:perms
Others:perms

[root@rhel7-server ~]# getfacl /testdir1/
getfacl: Removing leading '/' from absolute path names
# file: testdir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x


[root@rhel7-server ~]# setfacl -m g:monster:rx /testdir1/

[root@rhel7-server ~]# getfacl /testdir1/
getfacl: Removing leading '/' from absolute path names
# file: testdir1/
# owner: root
# group: root
user::rwx
group::r-x
group:monster:r-x
mask::r-x
other::r-x

[root@rhel7-server ~]# su - raman
Last login: Tue Jan  3 18:54:00 IST 2017 on pts/2
[raman@rhel7-server ~]$ cd /testdir1/
[raman@rhel7-server testdir1]$ touch 1
touch: cannot touch ‘1’: Permission denied
[raman@rhel7-server testdir1]$

I think write is missing, that’s why it is denying…
Let’s provide write perm

“rx” is already provided, hence only “w” to be added…

[root@rhel7-server ~]# setfacl -m g:monster:w /testdir1/

[root@rhel7-server ~]# getfacl /testdir1/
getfacl: Removing leading '/' from absolute path names
# file: testdir1/
# owner: root
# group: root
user::rwx
group::r-x
group:monster:-w-
mask::rwx
other::r-x

ohhhhhhhhhhhhh…. What is this…?? Where is “rx”…??

Let’s try again…

[root@rhel7-server ~]# setfacl -m g:monster:rwx /testdir1/
[root@rhel7-server ~]# getfacl /testdir1/
getfacl: Removing leading '/' from absolute path names
# file: testdir1/
# owner: root
# group: root
user::rwx
group::r-x
group:monster:rwx
mask::rwx
other::r-x

OMG… it means perms can’t be appended. new settings will override.
So whenever we need to change, we must have to change it full.

[root@rhel7-server ~]# su - raman
Last login: Wed Jan  4 17:43:26 IST 2017 on pts/2
[raman@rhel7-server ~]$ cd /testdir1/
[raman@rhel7-server testdir1]$ touch 1
[raman@rhel7-server testdir1]$ ls -l
total 0
-rw-r--r--. 1 raman raman 0 Jan  4 17:50 1

[root@rhel7-server ~]# su - user1
Last login: Mon Jan  2 12:09:02 IST 2017 on pts/0
[user1@rhel7-server ~]$ touch 2
[user1@rhel7-server ~]$ ls -ltr 2
-rw-r--r--. 1 user1 user1 0 Jan  4 17:50 2

Is it possible via regular perms…??

[root@rhel7-server /]# setfacl -m o:rwx /testfile1
[root@rhel7-server /]# getfacl testfile1
# file: testfile1
# owner: root
# group: root
user::rw-
group::r--
other::rwx

[root@rhel7-server /]# setfacl -m u:user1:rwx /testfile1

[root@rhel7-server /]# setfacl -m u:raman:rwx /testfile1

[root@rhel7-server /]# setfacl -m u:user3:rwx /testfile1

[root@rhel7-server /]# getfacl testfile1
# file: testfile1
# owner: root
# group: root
user::rw-
user:raman:rwx
user:user1:rwx
user:user3:rwx
group::r--
mask::rwx
other::rwx

Want to remove all acl settings. No prob, use “-b”

[root@rhel7-server /]# setfacl -b /testfile1
[root@rhel7-server /]# getfacl testfile1
# file: testfile1
# owner: root
# group: root
user::rw-
group::r--
other::rwx

All settings removed…??

What about this…?

other::rwx

This setting will removed by,

[root@rhel7-server /]# setfacl -m o:- /testfile1

[root@rhel7-server /]# getfacl testfile1
# file: testfile1
# owner: root
# group: root
user::rw-
group::r--
other::---

How to know that ACL’s are set on file or dir…??

Notice the “+” sign.

[root@rhel7-server /]# setfacl -m u:raman:rwx /testfile1
[root@rhel7-server /]# ll /testfile1
-rw-rwx---+ 1 root root 0 Jan  2 11:04 /testfile1

[root@rhel7-server /]# ls -ld /testdir1/
drwxrwxrwx+ 2 root root 14 Jan  4 17:50 /testdir1/

We can also find this by

[root@rhel7-server /]# ls –ltrh

Don’t want such long info in the o/p og “getfacl”, no problem. Use “-c”

[root@rhel7-server /]# getfacl -c /testdir1/
getfacl: Removing leading '/' from absolute path names
user::rwx
group::r-x
group:monster:rwx
mask::rwx
other::rwx

[root@rhel7-server /]# getfacl -c /testfile1
getfacl: Removing leading '/' from absolute path names
user::rw-
user:raman:rwx
group::r--
mask::rwx
other::---

Want to remove particular user from ACL settings. No prob, use “-x”

[root@rhel7-server /]# setfacl -m u:raman:7 /testfile1
[root@rhel7-server /]# setfacl -m u:user1:7 /testfile1
[root@rhel7-server /]# setfacl -m u:user3:1 /testfile1
[root@rhel7-server /]# setfacl -m u:araman:4 /testfile1

** We can also set the ACL’s in numeric values.

[root@rhel7-server /]# getfacl -c /testfile1
getfacl: Removing leading '/' from absolute path names
user::rw-
user:araman:r--
user:raman:rwx
user:user1:rwx
user:user3:--x
group::r--
mask::rwx
other::---

[root@rhel7-server /]# setfacl -x u:raman /testfile1

[root@rhel7-server /]# getfacl -c /testfile1
getfacl: Removing leading '/' from absolute path names
user::rw-
user:araman:r--
user:user1:rwx
user:user3:--x
group::r--
mask::rwx
other::---

Let’s do some magic…

[root@rhel7-server /]# setfacl -m u:raman:7 /testfile1
[root@rhel7-server /]# setfacl -m u:user1:7 /testfile1
[root@rhel7-server /]# setfacl -m u:user3:7 /testfile1
[root@rhel7-server /]# getfacl -c /testfile1
getfacl: Removing leading '/' from absolute path names
user::rw-
user:araman:r--
user:raman:rwx
user:user1:rwx
user:user3:rwx
group::r--
mask::rwx
other::---

[root@rhel7-server /]# su – raman
[raman@rhel7-server ~]$ vi /testfile1

[root@rhel7-server /]# su - user1
[user1@rhel7-server ~]$ vi /testfile1

[root@rhel7-server /]# su – user3
[user3@rhel7-server ~]$ vi /testfile1

[root@rhel7-server /]# cat /testfile1
hhhhhhhh raman
nnnnnnnn user1
zzzzzzzz user3

All 3 users can edit this file, yes…… so what’s the big deal…?

[root@rhel7-server /]# su - raman
Last login: Wed Jan  4 18:26:20 IST 2017 on pts/2
[raman@rhel7-server ~]$ vi /testfile1

"/testfile1"
"/testfile1" E212: Can't open file for writing
Press ENTER or type command to continue

OHHHHHH….. What is This, just few minutes before I edited this file.

Anyways, let’s check the contents at least.

[raman@rhel7-server ~]$ cat /testfile1
cat: /testfile1: Permission denied

OMG…… What’s going on……??

Check the perms…

[raman@rhel7-server ~]$ ls -ltr /testfile1
-rw-------+ 1 root root 45 Jan  4 18:27 /testfile1
[raman@rhel7-server ~]$ getfacl -c /testfile1
getfacl: Removing leading '/' from absolute path names
user::rw-
user:araman:r--                 #effective:---
user:raman:rwx                  #effective:---
user:user1:rwx                  #effective:---
user:user3:rwx                  #effective:---
group::r--                      #effective:---
mask::---
other::---

OHHHH… I (user “raman”) have “rwx” perm but, what is this new thing…?

#effective:---

And “mask” has also some problem…

mask::---

What should I do now…?
Definitely “root” did some finger, let’s ask him.

He…He…He…He…

That was the Magic.

[root@rhel7-server /]# setfacl -m m:- /testfile1

There is a field “mask” in the o/p.

And after setting the value of “mask” to null/0, the “effective” flag came in action.

Users appear to have “write” access, but they can’t, b’coz of effective perm.

It means whatever the user perms, doesn’t matter. Mask value should must be relevant to get the desired ACL to be effective.

Value of “mask” determines the maximum allowable permissions for a specific user/group on a file or dir.

[root@rhel7-server /]# getfacl -c testfile1
user::rw-
user:araman:r--                 #effective:---
user:raman:rwx                  #effective:---
user:user1:rwx                  #effective:---
user:user3:rwx                  #effective:---
group::r--                      #effective:---
mask::---
other::---

[root@rhel7-server /]# setfacl -m m:rx /testfile1

[root@rhel7-server /]# getfacl -c testfile1
user::rw-
user:araman:r--
user:raman:rwx                  #effective:r-x
user:user1:rwx                  #effective:r-x
user:user3:rwx                  #effective:r-x
group::r--
mask::r-x
other::---

DEFAULT ACL’S…………………………………..

Why “default acl”…?

Till now, we applied ACL on file or dir. They are all good.

Have you noticed one thing…??

[root@rhel7-server /]# getfacl -c testdir1/
user::rwx
user:user4:rwx
user:user5:rwx
group::r-x
mask::rwx
other::rwx

[root@rhel7-server /]# su - user4
[user4@rhel7-server ~]$ cd /testdir1/
[user4@rhel7-server testdir1]$ vi u4
[user4@rhel7-server testdir1]$ vi u4-1
[user4@rhel7-server testdir1]$ cat u4
Hhhhjjjjkkkk

[root@rhel7-server /]# su - user5
[user5@rhel7-server ~]$ cd /testdir1/
[user5@rhel7-server testdir1]$ vi u4
[user5@rhel7-server testdir1]$ cat u4
hhhhjjjjkkkk
,sdbjkjewb

How user5 is allowed to edit the file of user4…??

Check the “mask” in getfacl o/p.

Change it,

[root@rhel7-server /]# setfacl -m m:r-x /testdir1/

[root@rhel7-server /]# su - user5
[user5@rhel7-server ~]$ cd /testdir1/
[user5@rhel7-server testdir1]$ vi u4

"u4"
"u4" E212: Can't open file for writing
Press ENTER or type command to continue

[user5@rhel7-server ~]$ cd /testdir1/
[user5@rhel7-server testdir1]$ ls -ltr
total 16
-rw-r--r--. 1 raman raman  0 Jan  4 17:50 1
-rw-r--r--. 1 raman raman  0 Jan  4 18:49 4
-rw-r--r--. 1 user1 user1 10 Jan  4 18:50 2
-rw-r--r--. 1 user1 user1  9 Jan  4 18:52 3
-rw-r--r--. 1 user4 user4 13 Jan  4 18:57 u4-1
-rw-r--r--. 1 user4 user4 31 Jan  4 19:03 u4

Whats happening here is, lack of “inheritance”

By Default ACL we can determine the perms that will be set for all new items that are created within directory.

Default ACL does not change the perms for existing files and subdirectories.

Let’s check it…

[root@rhel7-server /]# setfacl -b /testdir1/
[root@rhel7-server /]# getfacl -c /testdir1/
getfacl: Removing leading '/' from absolute path names
user::rwx
group::r-x
other::rwx

[root@rhel7-server /]# setfacl -m d:u:user1:6,d:u:user3:6 /testdir1/
[root@rhel7-server /]# getfacl -c testdir1/
user::rwx
group::r-x
other::rwx
default:user::rwx
default:user:user1:rw-
default:user:user3:rw-
default:group::r-x
default:mask::rwx
default:other::rwx

[root@rhel7-server /]# setfacl -m u:user5:7 /testdir1/

[root@rhel7-server /]# getfacl -c testdir1/
user::rwx
user:user5:rwx
group::r-x
mask::rwx
other::rwx
default:user::rwx
default:user:user1:rw-
default:user:user3:rw-
default:group::r-x
default:mask::rwx
default:other::rwx

[root@rhel7-server /]# 

User1 & user3 settings are for default whereas user5 is set as regular.

[root@rhel7-server /]# cd /testdir1/
[root@rhel7-server testdir1]# ls -ltr
total 16
-rw-r--r--. 1 raman raman  0 Jan  4 17:50 1
-rw-r--r--. 1 raman raman  0 Jan  4 18:49 4
-rw-r--r--. 1 user1 user1 10 Jan  4 18:50 2
-rw-r--r--. 1 user1 user1  9 Jan  4 18:52 3
-rw-r--r--. 1 user4 user4 13 Jan  4 18:57 u4-1
-rw-r--r--. 1 user4 user4 31 Jan  4 19:03 u4

[root@rhel7-server testdir1]# touch newfile
[root@rhel7-server testdir1]# touch newdir
[root@rhel7-server testdir1]# ls -ltr
total 24
-rw-r--r--. 1 raman raman  0 Jan  4 17:50 1
-rw-r--r--. 1 raman raman  0 Jan  4 18:49 4
-rw-r--r--. 1 user1 user1 10 Jan  4 18:50 2
-rw-r--r--. 1 user1 user1  9 Jan  4 18:52 3
-rw-r--r--. 1 user4 user4 13 Jan  4 18:57 u4-1
-rw-r--r--. 1 user4 user4 31 Jan  4 19:03 u4
-rw-rw-rw-+ 1 root  root   0 Jan  4 19:13 newfile
-rw-rw-rw-+ 1 root  root   0 Jan  4 19:13 newdir
[root@rhel7-server testdir1]#

[root@rhel7-server testdir1]# getfacl -c newfile user::rw-
user:user1:rw-
user:user3:rwx                  #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::rw-

(Above was created with different ACL settings)


[root@rhel7-server testdir1]# touch newfile1
[root@rhel7-server testdir1]# getfacl -c newfile1
user::rw-
user:user1:rw-
user:user3:rw-
group::r-x                      #effective:r--
mask::rw-
other::rw-

****RECOMMENDED TO SET REGULAR PERM’S FIRST, THEN GO FOR ACL SETTINGS****

RECURSIVE ACL SETTING………………………………………..

[root@rhel7-server /]# setfacl -R -m u:user1:6 /testdir2
[root@rhel7-server /]# getfacl -c testdir2
user::rwx
user:user1:rw-
group::r-x
mask::rwx
other::r-x

[root@rhel7-server /]#

UNSET RECURSIVE ACL…………………………..

[root@rhel7-server /]# setfacl -R -x u:user1 /testdir2
[root@rhel7-server /]# getfacl -c testdir2
user::rwx
group::r-x
mask::r-x
other::r-x

[root@rhel7-server /]# setfacl -R -m u:user1:6 /testdir2
[root@rhel7-server /]# setfacl -R -b /testdir2
[root@rhel7-server /]# getfacl -c testdir2
user::rwx
group::r-x
other::r-x

DENY ACCESS TO USER VIA ACL………………………………..

[root@rhel7-server /]# touch secret-file
[root@rhel7-server /]# chmod 777 secret-file
[root@rhel7-server /]# setfacl -m u:user1:- secret-file
[root@rhel7-server /]# setfacl -m u:user3:- secret-file
[root@rhel7-server /]# setfacl -m u:user5:- secret-file
[root@rhel7-server /]# getfacl -c secret-file
user::rwx
user:user1:---
user:user3:---
user:user5:---
group::rwx
mask::rwx
other::rwx

[root@rhel7-server /]# su - user1
Last login: Wed Jan  4 18:52:21 IST 2017 on pts/2
[user1@rhel7-server ~]$
[user1@rhel7-server ~]$ vi /secret-file

"/secret-file"
"/secret-file" E212: Can't open file for writing
Press ENTER or type command to continue

[user1@rhel7-server ~]$ cat /secret-file

cat: /secret-file: Permission denied
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)