1
00:00:00,000 --> 00:00:03,270
Now since we are on the topic of assigning

2
00:00:03,270 --> 00:00:07,140
permission to files, and directories, and changing

3
00:00:07,140 --> 00:00:10,500
groups and ownership, we have to look into Access

4
00:00:10,500 --> 00:00:14,940
Control List as well. Access Control List is

5
00:00:14,970 --> 00:00:19,710
another layer or I would say a top layer or

6
00:00:19,710 --> 00:00:23,970
additional layer that runs on top of your

7
00:00:24,330 --> 00:00:29,640
permissions, which allows you to assign permission

8
00:00:30,480 --> 00:00:37,320
per user. So what is ACL? ACL stands for access

9
00:00:37,320 --> 00:00:41,310
control list, which provides an additional, more

10
00:00:41,310 --> 00:00:45,390
flexible permission mechanism for file systems. It

11
00:00:45,390 --> 00:00:48,600
is designed to assist with UNIX file permissions.

12
00:00:49,140 --> 00:00:52,830
ACL allows you to give permission for any user or

13
00:00:52,830 --> 00:00:55,470
group to any disk resources.

14
00:00:56,940 --> 00:01:01,170
The use of ACL, what is the purpose? Think of a

15
00:01:01,170 --> 00:01:03,450
scenario in which a particular user is not a

16
00:01:03,450 --> 00:01:07,710
member of a group created by you. So let's say if

17
00:01:07,710 --> 00:01:11,220
you create a user ABC, and it's not member of the

18
00:01:11,220 --> 00:01:14,820
group root, but you still want to give some read

19
00:01:14,850 --> 00:01:18,870
or write access, how can you do it without making

20
00:01:18,870 --> 00:01:22,470
the user member of the group. And that's where we

21
00:01:22,470 --> 00:01:25,830
have Access Control Lists, which will help us do

22
00:01:25,830 --> 00:01:29,730
it. So let me put it in a very simple words one

23
00:01:29,730 --> 00:01:34,290
more time. So let's say if you want to allow a

24
00:01:34,290 --> 00:01:38,280
file that is created by root and allow the user to

25
00:01:38,280 --> 00:01:42,330
read that file. Now that user is a regular user,

26
00:01:42,330 --> 00:01:47,010
not part of the group root, and you want that user

27
00:01:47,010 --> 00:01:49,830
to read that file. So of course, the one way to do

28
00:01:49,830 --> 00:01:53,400
it is you change the read permission of others, the

29
00:01:53,400 --> 00:01:56,850
last three bits, so others can read it. But then,

30
00:01:57,210 --> 00:02:01,890
everyone else could read that. But we only want

31
00:02:01,890 --> 00:02:04,980
one user to read that instead of all other users

32
00:02:04,980 --> 00:02:08,220
to read it. That is why we only give permission to

33
00:02:08,220 --> 00:02:12,330
that particular user using ACL. Hope that

34
00:02:12,330 --> 00:02:15,510
clarifies. So basically, ACLs are used to make a

35
00:02:15,510 --> 00:02:19,650
flexible permission mechanism in Linux. From Linux

36
00:02:19,650 --> 00:02:24,390
man pages, ACLs are used to define more fine-grained,

37
00:02:24,660 --> 00:02:27,540
discretionary access rights for files and

38
00:02:27,540 --> 00:02:31,530
directories. The commands to assign and remove ACL

39
00:02:31,530 --> 00:02:38,687
permissions are setfacl and getfacl.

40
00:02:38,687 --> 00:02:44,040
So set file ACL, get file ACL. get file ACL will

41
00:02:44,040 --> 00:02:46,530
give you the information about the existing

42
00:02:46,530 --> 00:02:50,190
permissions of a file, and set will allow you to

43
00:02:50,190 --> 00:02:52,860
set the way you wanted to set. Let's look at a

44
00:02:52,860 --> 00:02:56,220
few examples. Here are the list of commands for

45
00:02:56,220 --> 00:03:01,170
setting up ACLs. To add permission for a user, you

46
00:03:01,170 --> 00:03:05,340
have to run a command setfacl with

47
00:03:05,340 --> 00:03:09,300
minus m option to modify, u for user, and then

48
00:03:09,300 --> 00:03:12,480
you have to separate it with the colons. Here user

49
00:03:12,480 --> 00:03:15,419
is the user name, in my case, it will be iafzal,

50
00:03:15,419 --> 00:03:18,000
and then colon, and the permission that

51
00:03:18,000 --> 00:03:21,780
you want to give that user to. And then of course,

52
00:03:21,780 --> 00:03:25,620
the last part is the file name, which

53
00:03:25,620 --> 00:03:27,780
file do you want to get the permission to. Make

54
00:03:27,780 --> 00:03:32,430
sure you specify the complete absolute path. To add

55
00:03:32,430 --> 00:03:34,830
permission for a group, you can also allow the

56
00:03:34,830 --> 00:03:37,890
permissions to a specific group. So again, if you

57
00:03:37,920 --> 00:03:41,160
give permission, let's say read permission to

58
00:03:41,160 --> 00:03:44,250
the group, that middle three bits, then every group

59
00:03:44,250 --> 00:03:46,650
in your Linux system can read it. But what if you

60
00:03:46,650 --> 00:03:49,590
only want one group to read it? Right, that could

61
00:03:49,590 --> 00:03:53,220
be a problem. So then again, access lists, Access

62
00:03:53,220 --> 00:03:57,990
Control Lists comes to the rescue. And to add that

63
00:03:57,990 --> 00:04:01,620
group, to allow it to read or write that specific

64
00:04:01,830 --> 00:04:06,270
file, you have to set with g, and group name, and

65
00:04:06,270 --> 00:04:09,690
the permissions. To allow all files or directories

66
00:04:09,690 --> 00:04:13,710
to inherit ACL entries from the directory, it is

67
00:04:13,740 --> 00:04:17,640
for then meaning cascading, which will be set with

68
00:04:17,640 --> 00:04:20,550
minus dm option and an entry whatever that you

69
00:04:20,550 --> 00:04:22,290
want to put in and the name of the file or

70
00:04:22,290 --> 00:04:24,540
directory. Sorry, of course, the directory because

71
00:04:24,540 --> 00:04:27,120
you want to cascade, a file cannot have a file

72
00:04:27,120 --> 00:04:29,760
within itself. So that's why directory will have

73
00:04:29,760 --> 00:04:35,250
to have that. To remove a specific entry, so you

74
00:04:35,250 --> 00:04:39,750
will have to do setfacl with -x to remove

75
00:04:39,750 --> 00:04:42,690
it, and then you have to specify the user and the

76
00:04:42,690 --> 00:04:45,570
name of the file. This is only for a specific

77
00:04:45,570 --> 00:04:48,660
user. Now let's say if you want to remove all the

78
00:04:48,660 --> 00:04:52,590
ACL permissions from everyone, then you have to do

79
00:04:52,620 --> 00:04:56,580
setfacl with -b option and the name of the

80
00:04:56,580 --> 00:04:59,280
file. A couple of things that you need to remember.

81
00:04:59,910 --> 00:05:03,210
One is, as you assign the ACL permission to a

82
00:05:03,210 --> 00:05:07,440
file or directory, you will see that it will add a

83
00:05:07,440 --> 00:05:10,080
plus sign at the end of the permission. So when

84
00:05:10,080 --> 00:05:13,440
you run ls -l, the first column, which shows

85
00:05:13,440 --> 00:05:16,380
you the permissions, it adds the plus sign at the

86
00:05:16,410 --> 00:05:19,320
end of it, which shows that it has an ACL assigned

87
00:05:19,320 --> 00:05:22,680
to it. The second thing is setting with w

88
00:05:22,680 --> 00:05:26,130
permission with ACL does not allow you to remove a

89
00:05:26,130 --> 00:05:29,520
file, so you could modify the file, edit the file,

90
00:05:29,910 --> 00:05:33,120
but you cannot delete that file. That is something

91
00:05:33,120 --> 00:05:38,190
that still the user keeps the permission to itself

92
00:05:38,190 --> 00:05:40,620
to delete it. So now let's get into a Linux

93
00:05:40,620 --> 00:05:42,960
machine, and we'll try a couple of these commands,

94
00:05:43,320 --> 00:05:46,950
to learn how we could set ACL permissions to a

95
00:05:46,950 --> 00:05:49,200
file that is owned by someone else.

96
00:05:49,200 --> 00:05:51,720
[No audio]

97
00:05:51,720 --> 00:05:57,270
Okay, I am logged in as root. And of

98
00:05:57,270 --> 00:05:59,160
course, you can always check the root has the

99
00:05:59,160 --> 00:06:01,770
pound or hash sign to it. But again, always make

100
00:06:01,770 --> 00:06:05,490
sure, make sure you are on the right computer. And

101
00:06:05,490 --> 00:06:10,770
I am on my right machine. I am in my tmp

102
00:06:10,770 --> 00:06:13,440
directory, and I'm going to create a file. Let's

103
00:06:13,440 --> 00:06:17,040
say I'm going to call it Texas. And I'm going to

104
00:06:17,040 --> 00:06:22,800
pick just tx as an acronym. Let's make sure it is

105
00:06:22,800 --> 00:06:25,080
created and has a write permission. As you could

106
00:06:25,080 --> 00:06:28,320
see it is created, owned by root, and owned by group

107
00:06:28,320 --> 00:06:32,760
root. And the owner can read, write, the group can

108
00:06:32,760 --> 00:06:39,601
only read, and others can only read. If you do getfacl

109
00:06:39,601 --> 00:06:43,680
on the file, you will see more information.

110
00:06:43,680 --> 00:06:47,010
Again file, is this, owner, group, this user

111
00:06:47,010 --> 00:06:50,370
permission, group permission, other permission. Now

112
00:06:50,370 --> 00:06:56,220
comes to a part where you want to allow everyone

113
00:06:56,220 --> 00:07:00,090
sorry, where you want to allow only iafzal to

114
00:07:00,090 --> 00:07:04,260
write to that file. Then iafzal as you know,

115
00:07:04,800 --> 00:07:09,870
counts or is considered as others, right. iafzal

116
00:07:09,870 --> 00:07:13,170
falls in this category. So if you give write here,

117
00:07:13,380 --> 00:07:16,470
if you give that permission as w right here, then

118
00:07:16,470 --> 00:07:20,310
what will happen, everyone else can write to that

119
00:07:20,310 --> 00:07:23,670
file. So again, I hope you understand where I'm

120
00:07:23,670 --> 00:07:28,050
getting at. So to overcome this problem where only

121
00:07:28,050 --> 00:07:31,080
one user can modify that file, then you will

122
00:07:31,140 --> 00:07:38,820
assign it as a setfacl. So do setfacl -m

123
00:07:38,910 --> 00:07:44,220
to modify your permissions, u for user, who's the

124
00:07:44,220 --> 00:07:48,030
user, iafzal, and what permission you want to give,

125
00:07:48,030 --> 00:07:52,590
you want to give read, and write. And the name of

126
00:07:52,590 --> 00:07:56,040
the file would be tmp, and a file name is tx.

127
00:07:56,070 --> 00:08:01,320
But before we run it, I just wanted to go in, and

128
00:08:01,320 --> 00:08:05,340
start sorry, not this, I want to go in and start a

129
00:08:05,340 --> 00:08:09,262
duplicate session and I want to log in as iafzal.

130
00:08:09,262 --> 00:08:11,514
[No audio]

131
00:08:11,514 --> 00:08:19,710
Right now if I do cd /tmp, and cat tx,

132
00:08:21,000 --> 00:08:24,240
there is nothing in there. By the way, first of

133
00:08:24,240 --> 00:08:28,440
all, sorry, not cat because everyone could read

134
00:08:28,440 --> 00:08:31,350
it. So I shouldn't have a problem. But what if I

135
00:08:31,350 --> 00:08:34,503
want to edit it, so vi tx.

136
00:08:34,503 --> 00:08:37,306
[No audio]

137
00:08:37,306 --> 00:08:40,500
It says at the bottom right here readonly. So even if I put in

138
00:08:40,500 --> 00:08:44,669
something, hello, or whatever that you want to put

139
00:08:44,909 --> 00:08:48,690
and save it, it will tell me I can't open up all

140
00:08:48,690 --> 00:08:53,549
it's not editable, I do not have permission. So I

141
00:08:53,549 --> 00:08:59,888
cannot do it. When I run this command, getfacl,

142
00:08:59,888 --> 00:09:03,360
sorry, setfacl, with iafzal, with

143
00:09:03,390 --> 00:09:06,360
read as well and write as well for that file,

144
00:09:06,390 --> 00:09:10,560
hit Enter. Now to verify it, if it actually has

145
00:09:10,560 --> 00:09:17,130
set those permission you do getfacl /tmp/tx, and

146
00:09:17,130 --> 00:09:20,837
you will see right now, right here, it says user iafzal

147
00:09:20,837 --> 00:09:25,830
has the right to modify it. Now if I do vi

148
00:09:25,830 --> 00:09:31,710
tx now, you see I do not have that same error

149
00:09:31,710 --> 00:09:33,900
that I was getting it before I could just put in

150
00:09:33,900 --> 00:09:39,540
anything I want. Hellow TX, oops, Hello TX.

151
00:09:41,250 --> 00:09:45,150
Save it. And it lets me save it. And when I do cat

152
00:09:45,150 --> 00:09:49,800
on tx, I am able to do that on tx. So that's why

153
00:09:49,830 --> 00:09:54,480
these ACL are so important to assign that specific

154
00:09:54,840 --> 00:09:59,220
permission to a specific user. Same thing if you

155
00:09:59,220 --> 00:10:01,572
want to do that group

156
00:10:01,572 --> 00:10:04,225
[No audio]

157
00:10:04,225 --> 00:10:05,760
assignment to the

158
00:10:05,760 --> 00:10:08,010
permission, you would run the same command, but

159
00:10:08,010 --> 00:10:13,080
instead of u, you put in g, and hit enter. And

160
00:10:13,080 --> 00:10:18,717
when you do getfacl, you will see now group iafzal also

161
00:10:18,717 --> 00:10:24,180
can modify this file. So if a user is

162
00:10:24,180 --> 00:10:26,550
part of my group, they could actually go in and

163
00:10:26,550 --> 00:10:31,050
modify the file. Going to number four, the number

164
00:10:31,050 --> 00:10:33,870
three, one is to actually assign those permissions

165
00:10:33,870 --> 00:10:36,660
and cascade down to every file and directory,

166
00:10:36,870 --> 00:10:39,210
which is very simple. So I'll jump right into

167
00:10:39,210 --> 00:10:44,010
number four. To remove that specific permissions, I

168
00:10:44,010 --> 00:10:45,720
will have to do set

169
00:10:45,720 --> 00:10:47,549
[No audio]

170
00:10:47,549 --> 00:10:51,869
facl -x, and what are you taking out,

171
00:10:51,869 --> 00:10:54,329
you're taking out the user iafzal's permission.

172
00:10:54,779 --> 00:11:00,539
And for that, you have to type the file name, run

173
00:11:00,539 --> 00:11:05,189
getfacl, and you'll see that iafzal user is

174
00:11:05,189 --> 00:11:08,639
gone. But what if you want to remove everything,

175
00:11:08,849 --> 00:11:14,729
not just user, but every permission for every user

176
00:11:14,759 --> 00:11:16,769
or every group, then you will have to run the

177
00:11:16,769 --> 00:11:25,709
command setfacl as -b option. And now

178
00:11:25,709 --> 00:11:29,789
when you do getfacl, you'll see it's back to its

179
00:11:29,819 --> 00:11:34,619
original state. That's how it works. And when I

180
00:11:34,619 --> 00:11:37,619
said you cannot delete, even though I do have the

181
00:11:37,619 --> 00:11:40,439
right permission to write to the file, edit the

182
00:11:40,439 --> 00:11:44,999
file, I cannot delete that. So if I do rm tx, by

183
00:11:44,999 --> 00:11:47,069
the way, I have to give the permission back again.

184
00:11:47,069 --> 00:11:52,350
[No audio]

185
00:11:52,350 --> 00:11:55,920
This is permission. Let's verify it again. Yes, I

186
00:11:55,920 --> 00:11:59,670
do have permission to read and write to it. So if

187
00:11:59,670 --> 00:12:02,670
I tried to remove it, it will say Operation not

188
00:12:02,670 --> 00:12:04,890
permitted. So the reason I'm including that so I

189
00:12:04,890 --> 00:12:07,920
don't want you to waste your time by you know,

190
00:12:08,160 --> 00:12:10,470
trying to delete that file and thinking, hey, I do

191
00:12:10,470 --> 00:12:13,200
have the right permission. But why can I not

192
00:12:13,200 --> 00:12:17,190
delete it? The reason that ACL does not put that

193
00:12:17,190 --> 00:12:19,350
in there, so it only gives you a right to only

194
00:12:19,350 --> 00:12:22,020
that user, just in case by accident, that user

195
00:12:22,020 --> 00:12:26,160
deletes a file. So that's how the ACL permission

196
00:12:26,160 --> 00:12:30,120
works. It's very granular. And it goes down to the

197
00:12:30,120 --> 00:12:33,630
user level. And again, one more time, the reason

198
00:12:33,660 --> 00:12:37,950
it was built or it was introduced into the Unix or

199
00:12:37,950 --> 00:12:42,060
Linux environment is so you, we could assign

200
00:12:42,630 --> 00:12:46,950
permission to the user, not to the every user but

201
00:12:46,950 --> 00:12:51,840
to a specific user. So try it out and try

202
00:12:51,840 --> 00:12:54,180
it on different files, try on

203
00:12:54,180 --> 00:12:58,620
different directories, see how the directory works

204
00:12:58,620 --> 00:13:01,110
as well how it could change the files if you could

205
00:13:01,110 --> 00:13:04,080
log in, cd into the directory by giving specific

206
00:13:04,080 --> 00:13:05,297
access to a user.

207
00:13:05,297 --> 00:13:07,264
[No audio]