Access Control Lists

An access control list is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.Linux has an implementation of POSIX filesystem ACLs which allows for more fine-grained security compared to discretionary access control that standard Unix offers.This is quite useful in some implementations, such as WebDAV folders, wherein the users may both have filesystem and WebDAV access to folders.

To enable POSIX ACLs in ext3 filesystems, the filesystem must be mounted with with acl option, e.g. in /etc/fstab

/dev/xvda1 / ext3 defaults,acl 0 0

You can remount the root filesystem to support POSIX ACLs via

mount -o remount,rw,acl /

Once POSIX ACLs have been enabled in your filesystem, you can now use the acl utilities getfacl and setfacl. You can have them installed in your server by installing the acl package.

setfacl modifies the access control list of files:

root@staff:~# setfacl -m u:www-data:rwx data

This adds read, write and execute permission bits on the file "data" for the www-data user.

A summary of options that can be passed to setfacl are as follows:

-m modify file permissions -M modify directory permissions -x remove file permissions -X remove directory permissions

Examples found in the man page are as follows: Granting an additional user read access setfacl -m u:lisa:r file

Revoking write access from all groups and all named users setfacl -m m::rx file

Removing a named group entry from a file?s ACL setfacl -x g:staff file

getfacl lists down the access control list of files,e.g.

root@staff:~# getfacl data

1. file: data
2. owner: root
3. group: root

user::rwx user:www-data:rwx group::r-x mask::rwx other::r-x