Use and Enable ACLs on Oracle Linux

Introduction

Access Control Lists (ACLs) provide access control to directories and files. ACLs can set read, write, and execute permissions for the owner, group, and all other system users.

An ACL consists of a set of rules that specify how a specific user or group can access ACL-enabled files and directories. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only and specifies the default access information for any file within the directory that does not have an access ACL.

When setting a default ACL on a directory, its subdirectories inherit the same rights automatically. You can use ACLs with the btrfs, ext3, ext4, OCFS2, and XFS file systems, as well as mounted NFS file systems.

Objectives

In this tutorial, you'll learn how to:

Check file system ACL support
Use setfacl and getfacl commands to add and display ACL rules

Prerequisites

Minimum of one Oracle Linux system
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Access to the Internet
- An additional block device

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

Open a terminal on the Luna Desktop.

Clone the linux-virt-labs GitHub project.

git clone https://github.com/oracle-devrel/linux-virt-labs.git

Change into the working directory.
```
cd linux-virt-labs/ol
```

Install the required collections.

ansible-galaxy collection install -r requirements.yml

Deploy the lab environment.
```
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e add_block_storage=true -e block_count=1
```
The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.
The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.
Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Connect and Format a Block Device

Open a terminal and connect via SSH to the ol-node-01 instance.
```
ssh oracle@<ip_address_of_instance>
```
Verify the block volumes exist.
```
sudo lsblk
```
The command output shows two block devices: sda and sdb.
Create a 2G partition on sdb.
```
sudo sfdisk /dev/sdb << EOF
2048,4194304
EOF
```
Warning: The sfdisk command creates a new partition on sdb while removing any existing partitions. Ensure you back up the drive if it contains any data you want to keep.
Format the new partition.
```
sudo mkfs.ext4 /dev/sdb
```
Answer yes at the prompt, and wait for it to complete.

Mount the File System with ACL Support

Create a mount point directory.
```
sudo mkdir /test
```
Verify ACL support exists.
Oracle Linux file systems such as ext4, btrfs, and xfs enable the acl mount option as a default. On an ext4 file system such as /dev/sdb, verify this with tune2fs.
```
sudo tune2fs -l /dev/sdb | grep -i acl
```
Example Output:
```
[oracle@ol-node01 ~]$ sudo tune2fs -l /dev/sdb | grep -i acl
Default mount options:    user_xattr acl
```
Mount the disk with ACL support.
If the file system does not have the acl mounting option enabled by default, then pass -o acl when using the mount command. Since /dev/sdb uses ext4, this option is already on by default.
```
sudo mount -t ext4 /dev/sdb /test
```
To make this mount point persistent across reboots, add it to the fstab file.
```
MYUUID=$(sudo blkid | grep UUID= | grep sdb | awk '{ print $2 }')
echo "$MYUUID /test ext4 defaults 0 0" | sudo tee -a /etc/fstab > /dev/null
```
Verify the file system mount exists.
```
df -T | grep sdb
```
The output shows the ext4 file system /dev/sdb exists at mount point /test.

Use ACL Functionality

Try creating a file under the new mount point.
```
touch /test/file1
```
Example Output:
```
touch: cannot touch '/test/file1': Permission denied
```
The command fails because the oracle user does not have permission to create files in the /test directory.

Get the directory's ACL information.

sudo getfacl /test

Example Output:

[oracle@ol-node01 ~]$ sudo getfacl /test
getfacl: Removing leading '/' from absolute path names
# file: test
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Add an ACL rule to the directory.
```
sudo setfacl -m u:oracle:rwx /test
```
The rule grants read, write, and execute permissions to the oracle user.

Check the directory's updated ACL information.

sudo getfacl /test

Example Output:

getfacl: Removing leading '/' from absolute path names
# file: test
# owner: root
# group: root
user::rwx
user:oracle:rwx
group::r-x
mask::rwx
other::r-x

The output shows the newly added user:oracle:rwx line.

Show the long listing format of just the directory.
```
ls -ld /test
```
Example Output:
```
drwxrwxr-x+ 3 root root 4096 Jul 13 20:48 /test
```
The permissions shown in the output include a plus sign (+) indicating the inclusion of an ACL.
Try creating the file again.
```
touch /test/file1
```
The command should succeed this time.
Confirm the creation of the file.
```
ls -l /test
```

Check out the man getfacl or man setfacl pages for additional options and examples.

Next Steps

You should now be able to confirm whether a file system supports the use of ACLs, as well as to use the setfacl and getfacl commands to add and display ACL rules. Check out our other content on the Oracle Linux Training Station.