February 03, 2015

Linux ACLs

^ Ad space. I gotta pay the bills!

This video discusses using Linux ACL's instead of the usual Linux user/group/other permissions. This allows for an easier time setting up permissions for automated tasks such as deploying web applications.

If you're not familiar with "normal" linux user and group permissions, check out this article which explains them in a bit more detail.

This video will show setting up ACLs for a directory. These ACL permissions can be inherited by a parent dirctories. Setting default ACL's for a location is powerful, as it skips the need to always reset user/group permissions after any file operation (e.g. creating new files) and/or go through the hurdle of configuring umask settings.Here is a rundown of the basic commands we're using:

$ getfacl /var/www

  • Get current ACL's for the given directory or file

$ setfacl -R -m u:johndoe:rwx /var/www

  • setfacl - Set ACL
  • -R - Recursive down into files and directories
  • -m - Modifying ACL's (vs removing them)
  • u:johndoe:rwx - The user johndoe will get rwx permissions
  • /var/www - Give these permissions to the /var/www directory (and sub files/dirs, since this is a recursive operation via the -R flag)

$ setfacl -R -m g:www-data:rwx /var/www

The same as above, except:

  • g:www-data:rwx - Allow the group www-data to rwx the /var/www directory

$ setfacl -x g:www-data /var/www

  • -x - Remove ACL's defined for g:www-data at location /var/www

Here are the commands used in the video:

Create the users we'll use:

# Create user jane
root@server $ adduser jane
# Give jane the ability to use "sudo"
root@server $ usermod -a -G sudo jane

# Create user bob
root@server $ adduser bob
# Bob, a user who can deploy web sites,
# is part of group www-data, the same group as
# our website files
root@server $ usermod -a -G www-data bob

We'll ensure files in our web root are of group "www-data". This is not necessary for ACL permissions, but we so do to keep things consistent.

# Ensure the site files have user/group "www-data"
# This is not necessary for ACL's
root@server $ chown -R www-data:www-data /var/www

Start using some ACL basics. Here we give a user permissiont to read/write/execute files and directories using ACLs instead of the classic Linux permissions.

# Check out the ACL's set by default
# These are separate from the usual user/group permissions
root@server $ getfacl /var/www

# Give use jane the ability to rwx web files at
#   directory /var/www
# Technically she wouldn't *need* this,
# since she could use her sudo abilities
root@server $ setfacl -R -m u:jane:rwx /var/www

# Above we set ACL for existing files/dirs
# Here we will recursively (-R) set the
# defaults (-d flag) for future files/dirs
root@server $ setfacl -Rd -m u:jane:rwx /var/www

# Check new permissions added
# (current dir/files and defaults)
root@server $ getfacl /var/www

The previous two commands can be combined to set the defaults and current permissions in one shot: setfacl -R -m u:jane:rwx,d:u:jane:rwx /var/www

Next we give group-based permissions via ACL's to the web files. This is (arguably) more useful, a we can then give any user a secondary group (www-data in this case) to allow them to edit the web files, despite what the owner or group of those files are.

# Add group-based permissions, instead of user-specific
# This allows anyone in group "www-data" (like bob) to
# rwx files in /var/www
# We're setting the defaults here
root@server $ setfacl -R -m g:www-data:rwx /var/www

# Recursively (-R) set the defaults (-d)
for future files/dirs as well
root@server $ setfacl -Rd -m g:www-data:rwx /var/www

# View changes
root@server $ getfacl /var/www

To reiterate: These files/dirs don't need group "www-data" to be editable by bob. ANY USER part of group "www-data" can now edit files/dirs in directory /var/www!

Here are some things worth noting on using ACLs:

# Note to keep setfacl flags/options in two groups
# to avoid errors:
root@server $ setfacl
> Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...

Now test our new settings to see how they behave:

# Some testing:
# Jane creates a dir
jane@server $ mkdir -p /var/www/site/styles
# Ensure bob can write to that location:
bob@server $ touch /var/www/site/styles/styles.css

# See the ACL's on new dir - they are inherited from parent dir
# Thanks to ACL defaults set
root@server $ getfacl /var/www/site/styles

# Just to be "clean", make site files all
# part of group www-data. Again, this is
# unnecessary for ACL permissions
root@server $ chgrp -R www-data /var/www

# Set the gid (group id) used for new dirs/files
# in the /var/www directory - new ones will have
# group "www-data" just like their parent directory
#
# This technically isn't necessary, as ACL gorup permissions
# for group "www-data" will function based on the user's assigned
# group rather than the group that is asssigned to the site files
# ...But this is handy to know still
root@server $ chmod -R g+s /var/www

# Laslty, check set permissions
# Note the "s" where you usually see "x"
# in the group permissions
bob@server $ ls -lah /var/www
> drwxrwsr-x 3 www-data www-data 4096 Jan 12 20:34 Site

Notes

All Topics