Filesystem/Access Control List Guide

= Access Control List - ACL = ACLs are one of the more important feature required by current enterprise or co-operate needs. They facilitate more control over files above User, Group and Other POSIX Basic ACL.

POSIX Basic ACL
Some example on ls -al /var/log

As you might know for example

drwxr-xr-x 2 apache  apache       135 Dec 11 17:48 apache2

What is missing?

1. What happens if more than one user needs control of this directory?

A: We cannot, but you can add these users to the "apache" group. Problem is, these users will have access to everything the "apache" group has access.

2. What happens if we need one more group to have read/write access to this directory but no other users?

A: We cannot, but in the same way we can add all the other group users and the "apache" user to another group and let them have access to said group. But what happens if you want to make this group read-only and not write?

POSIX Basic ACL has its limitations and so we introduce "extended ACL" which fixes many issues.

= Kernel Options = We need to enable each filesystem to support extended access control from the kernel before the application can use it.

You can enable the one(s) you need:

Ext2 ACL

Ext3 ACL

Ext4 ACL

ReiserFS ACL

JFS ACL

XFS ACL

Save your changes and recompile your kernel and boot from it.

= Emerge sys-apps/acl = We should now emerge the acl tools so what we can start using ACL.

= ext2/3/4 /etc/fstab with ACL Support = Some filesystems like xfs enable extended ACL by default when mounted.

Some filesystems like ext2/ext3/ext4 and reiserfs require extra mount options to enable extended ACL. Just add the acl options in your fstab

/etc/fstab

remount the partition with the acl option and we are done.

= Running extended ACL = How do we know that extended ACL is running correctly? You will be able to do the following:
 * Set/Modify ACL
 * Get/Read ACL
 * ACL Mask

Set/Modify ACL
To set ACL we need to run setfacl command. You can read the man page for setfacl for more options

To add username to have read, write and execute on

To add username to have +write access on

To add default user access right to read and write on folder

To add groupname to have read, write and execute on

To add groupname to have recursive +execute on

To add default group access right to read and write on folder

Get/Read ACL
To get ACL we need to run getfacl command. You can read the man page for getfacl for more options

To get acl on

Remove ACL
To remove ACL are simple.

Remove all ACL on /testfiles

Remove default ACL on testfolder

Which files/folder are with ACL?
How do you know that your files is with ACL without running getfacl on all files?

Luckily ls will show you a + sign if it had ACL.

Notice the + Sign on apache2 and also named?