In this video, Kevin Dankwardt describes and demonstrates the getfacl and setfacl commands. We use ACLs to give a user more or less permissions on files. We also see how to remove ACLs.
- [Instructor] Access control lists are another mechanism for permission on files and directories. It's finer control than the usual owner group other rwx stuff, because you can give access to, for example, individual users. That's different than other. So the file system needs to support this. And when you mount the file system, you can have the option to have it enforce the ACLs.
This is pretty common, and even NFS supports ACLs. So when you have an ACL set for a user on a file, that's what they get, not the other sort of permission. So there are access ACLs for a specific file or directory that says, for example, this user is given this permission. An ACL on a directory that's default, means that things in that directory will inherit that ACL automatically.
And so you can set per user, per group or you can set a mask, which will limit the ACLs that can be sent. To find out what the ACLs are on something, use getfacl. Getfacl. So here we did it on some file newdate.txt. And it has kind of comments there: file, owner, and group. And then it gives the user and group, and there's a mask set, saying we can't do more than rw, and other has nothing.
And student has special permissions. The user student. You set ACLs with setfacl. So here, we're setting read, or tester, on myfile. So that's what tester will have. If other does not have read access, tester still gets that. So that's specific to the user tester. That's the permissions they're going to get.
So let's do a couple examples with getfacl and setfacl. So let's see what happens when we add an ACL for a user to have r or read access, when ordinarily other doesn't have read access to see if you can get more permissions with an ACL than the default. And then let's try the other way. We'll set an ACL for a user, where they don't have read access, even though other normally does.
And then we'll look at removing ACLs. You can undo what you did. So I am user guest here. If we do a list on a file called shadow, that's where your hashed up passwords are store. Passwords aren't actually stored in, as etc password, they're normally an etc shadow. And look, there's like no permissions for anybody on that file. Although root has special case where they don't have to have permissions.
So root can look at that, but guest can't. I try to do a head to look at the beginning of that file, for example, right, I get permission denied. So let's become root so that we can set an ACL. Let's check the ACLs shadow. There's no special ACLs set right now. It's just the usual user group other, and just like ls minus l showed us, there's nothing set there.
So let's set an ACL for guest to have read permission on shadow. We do a long list and it shows an r in the middle there. And if we do a getfacl, it shows user guest as an r and then it set the mask there to r's.
So it looks like guest should be able to read it. So let's exit out of our sudo there. And I show I'm guest again. Let's try do a head on etc shadow. Sure enough, I'm allowed to do that. There you go, there's the hash for my root password. So you want to crank away for years and years you can maybe figure out what that hashed from. So let's go back, be root. And let's double check the ACL.
And now, let's do minus x for guest to remove the special ACL for guest. And then we'll do a getfacl, right. So it's gone. And then we try to do the head again. And now we can't again. So there we go, we set an access where we had more than other had.
Alright, so we can look at the password file. And okay, so we tried to set just nothing. And it says that's incomplete. Here we set execute, that's an unusual permission. And if we get the facl's for etc password, it says guest has just x.
Although other ordinarily has read. So let's see is guest going to be able to read the password file. No, so with the ACLs, we have different permissions than other. Other can read it, but guest, in particular, can only do x. So you can give someone more or fewer permissions with the ACLs.
- Partitioning storage
- Creating, mounting, and unmounting file systems
- Formatting file systems
- Making volumes with LVM
- Adding storage security
- Managing swap spaces
- Backing up and recovering Linux storage systems
- Working with networked file systems like NFS and SSHFS