Skip to main content

POSIX ACLs in Linux

By May 27, 2019September 12th, 2022No Comments

As a system administrator in Linux, it will not take you long to realize that permissions managed only using the file mode become very limiting. The mode of a file allows for a single user, one group and everyone else, that is it. Many Linux systems are single-user systems acting as a service appliance so it does not have to be all bad, however, if you are using the system as some form a shared server or file-server it is likely that you will need to expand the mode using POSIX ACLs, or Access Control Lists.

The support for POSIX ACLs in Linux has grown in recent years and most filesystems and Kernel support them nowadays.

POSIX ACLsWe can see from the previous graphic that by checking the Kernel configuration we see the ACL support.

We have two commands getfacl to read ACLs and setfacl  to manage ACLs. We can use ACLs to better secure our system. We can remove rights granted to others and ensure new files have permissions granted to the user or groups who need them.

Securing the Web Server Document Root Using ACLs

In this example we will look at installing the Apache Web Server on CentOS and ensuring that the file are secured correctly.

Install Apache

$ sudo yum install -y httpd

The permissions are weak be default on the DocumentRoot /var/www/html. The web server relies on permissions granted to others:

$ ls -ld /var/www/html/
drwxr-xr-x. 2 root root 24 Apr 24 14:46 /var/www/html/

We can alter the ownership and permissions to tighten the security. We also add the *sticky bit* on the directory, ensuring files can only be deleted by their owner.

$ sudo chgrp nobody /var/www/html
$ sudo chmod 1770 /var/www/html
$ sudo ls -ld /var/www/html
drwxrwx--T. 2 root nobody 24 Apr 24 14:46 /var/www/html

At this stage the web server does not have access to the web content.

Adding the ACL

We need to ensure that the directory is accessible to the web server. We can do this through the group or user associated with the server. Adding the group to the default ACL and the directory ACL.

$ sudo setfacl -m d:g:apache:r--,g:apache:r-x /var/www/html
$ sudo getfacl /var/www/html
getfacl: Removing leading '/' from absolute path names
# file: var/www/html
# owner: root
# group: nobody
# flags: --t

NOTE: The *sticky bit*, or any of the special permissions, show in the *flags* section in the comments. Very quickly we have configured the ACL to ensure more secure access to the DocumentRoot. We have removed permissions from others and ensure new files have permissions assigned to the web server group, *apache* on CentOS systems.

For full details take a look at my latest PDF