As a system administrator in Linux, it will not take you long to realize that permissions managed only using the file mode become very limiting. The mode of a file allows for a single user, one group and everyone else, that is it. Many Linux systems are single-user systems acting as a service appliance so it does not have to be all bad, however, if you are using the system as some form a shared server or file-server it is likely that you will need to expand the mode using POSIX ACLs, or Access Control Lists.
Reading this 18 A4 page document you will learn:
- The limitations of the file mode
- ACLs available in Linux
- Determining support for POSIX ACLs
- Listing ACLs using getfacl
- Setting default ACLs in directories using setfacl
- Setting ACLs on files
- The ACL Mask and the File Mode
- The Group nogroup/nobody
- Removing individual ACEs or the complete ACL
- Securing a Web Server DocumentRoot Using POSIX ACLs
The UNIX file mode dates back to the beginnings of UNIX and was never designed for Enterprise file sharing. The mode only allows for a single user, a single group, and everyone else. To work around this you can just keep creating groups to meet new needs within the file-system. Even so, this does not cater for when one group requires read access and another group requires read-write access to the same file or directory. All in all, if you are trying to share file-systems with many users on Linux, the mode is a problem. ACLs overcome these limitations allowing for more users and more groups to be added as principals.
We are talking about Linux, so there is never going to be just a single ACL to choose from => we have at least 3 🙂 In this module we look at POSIX ACLs.
The POSIX ACLs requires Kernel Modules to work with both the ACL and the target file-system. ACLs support also needs be be enabled when the file-system is mounted. The mount option is built-in to the XFS file-system and is a default mount option in EXT4, so is not a major issue. POSIX Access Control Lists allow for more than one user or group to have the same or different permissions to a file resource. We can also set default permissions allowing new files or directories to inherit from the parent. These features make the ACL very powerful and a useful tool.
NFSv4 ACLs are not part of the file-system and are independent of it. They work on exported NFS directories, or shares. If you are not accessing the file-system using the NFSv4 protocol the ACL is not applied. That said, it is designed for the NFS Server and exported file-systems so should not be surprising or an issue.
Like the NFSv4 ACLS the CIFS ACLs do NOT apply to a local file-system but are used when you are accessing the file-system via a SAMBA share.