Use and Enable ACLs on Oracle Linux
Introduction
Access Control Lists (ACLs) provide access control to directories and files. ACLs can set read, write, and execute permissions for the owner, group, and all other system users.
An ACL consists of a set of rules that specify how a specific user or group can access ACL enabled files and directories. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only, and specifies the default access information for any file within the directory that does not have an access ACL.
When setting a default ACL on a directory, its subdirectories inherit the same rights automatically. ACLs can be used with the btrfs, ext3, ext4, OCFS2, and XFS file systems, as well as mounted NFS file systems.
Objectives
- Check file system ACL support
- Use
setfaclandgetfaclcommands to add and display ACL rules
Requirements
A system with an available disk and a fully patched installation of Oracle Linux.
Setup Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
If not already connected, open a terminal and connect via ssh to the ol-node01 instance.
ssh oracle@<ip_address_of_instance>Verify the block volumes exist.
sudo lsblk -fThe output for the free lab environment shows two block devices:
sda, which contains the base OS, andsdb, which this lab uses. Using the-foption displays the file system type (FSTYPE) and the blocks universally unique identifier (UUID).
Mount the File System with ACL Support
Create a mount point directory.
sudo mkdir /testVerify ACL support exists.
Oracle Linux file systems such as
ext4,btrfs, andxfsenable the acl mount option as a default. On anext4file system such as/dev/sdb1, verify this withtune2fs.sudo tune2fs -l /dev/sdb1 | grep -i aclExample Output:
[oracle@ol-node01 ~]$ sudo tune2fs -l /dev/sdb1 | grep -i acl Default mount options: user_xattr aclMount the disk with ACL support.
If the file system does not have the acl mounting option enabled by default, then pass
-o aclwhen using themountcommand. Since/dev/sdb1usesext4, this option is already on by default.sudo mount -t ext4 /dev/sdb1 /testTo make this mount point persistent across reboots, add it to the fstab file.
MYUUID=$(sudo blkid | grep UUID= | grep sdb1 | awk '{ print $2 }') echo "$MYUUID /test ext4 defaults 0 0" | sudo tee -a /etc/fstab > /dev/nullVerify the file system mount exists.
df -T | grep sdb1The output shows the ext4 file system
/dev/sdb1exists at mount point/test.
Use ACL Functionality
Try creating a file under the new mount point.
touch /test/file1Example Output:
touch: cannot touch '/test/file1': Permission deniedThe command fails because the
oracleuser does not have permission to create files in the/testdirectory.Get the directory's ACL information.
sudo getfacl /testExample Output:
[oracle@ol-node01 ~]$ sudo getfacl /test getfacl: Removing leading '/' from absolute path names # file: test # owner: root # group: root user::rwx group::r-x other::r-xAdd an ACL rule to the directory.
sudo setfacl -m u:oracle:rwx /testThe rule grants read, write, and execute permissions to the
oracleuser.Check the directory's updated ACL information.
sudo getfacl /testExample Output:
getfacl: Removing leading '/' from absolute path names # file: test # owner: root # group: root user::rwx user:oracle:rwx group::r-x mask::rwx other::r-xThe output shows the newly added
user:oracle:rwxline.Show the long listing format of just the directory.
ls -ld /testExample Output:
drwxrwxr-x+ 3 root root 4096 Jul 13 20:48 /testThe permissions shown in the output include a plus sign (
+) indicating the inclusion of an ACL.Try creating the file again.
touch /test/file1The command should succeed this time.
Confirm the creation of the file.
ls -l /test
Check out the man getfacl or man setfacl pages for additional options and examples.
For More Information
See other related resources: