1 00:00:07,350 --> 00:00:08,730 - In this video I wanna tell you 2 00:00:08,730 --> 00:00:10,743 about file access control lists. 3 00:00:11,640 --> 00:00:13,710 So file access control lists 4 00:00:13,710 --> 00:00:17,490 or short ACLs allow administrators to grant permissions 5 00:00:17,490 --> 00:00:20,670 to more than one user and or more than one group. 6 00:00:20,670 --> 00:00:24,240 It's a solution for the problem that in Linux security 7 00:00:24,240 --> 00:00:26,340 a file can have one user who is owner 8 00:00:26,340 --> 00:00:28,020 one group that is owner. 9 00:00:28,020 --> 00:00:30,720 But how are you going to deal with the situation 10 00:00:30,720 --> 00:00:32,910 where the user owner need to read, write 11 00:00:32,910 --> 00:00:37,320 and one specific user needs read access for instance. 12 00:00:37,320 --> 00:00:39,453 That is why we have access control lists. 13 00:00:40,320 --> 00:00:43,980 ACLs are supported by all modern file systems as a default 14 00:00:43,980 --> 00:00:46,380 so you don't need to do anything anymore 15 00:00:46,380 --> 00:00:49,980 and you can use getfacl to show current ACL settings. 16 00:00:49,980 --> 00:00:53,730 Setfacl is used to manage ACLs. 17 00:00:53,730 --> 00:00:57,570 ACLs may be used in different situations, for instance 18 00:00:57,570 --> 00:01:00,270 in a shared user environment where one user 19 00:01:00,270 --> 00:01:01,950 or group needs full access to files 20 00:01:01,950 --> 00:01:05,130 and other users or groups need read-only access. 21 00:01:05,130 --> 00:01:07,440 Or in a developer environment where a developer 22 00:01:07,440 --> 00:01:12,003 may require access to documents like server document root. 23 00:01:13,050 --> 00:01:14,730 So how do we manage them? 24 00:01:14,730 --> 00:01:17,700 Well there is getfacl which you can use 25 00:01:17,700 --> 00:01:19,767 to see current ACL settings 26 00:01:19,767 --> 00:01:22,143 and setfacl to manage the ACLs. 27 00:01:23,220 --> 00:01:24,240 Then there is a difference 28 00:01:24,240 --> 00:01:26,640 between the regular ACL which will take care of 29 00:01:26,640 --> 00:01:28,830 all the currently existing files. 30 00:01:28,830 --> 00:01:31,140 And the default ACL you will take care 31 00:01:31,140 --> 00:01:33,270 of all new files that you will be creating 32 00:01:33,270 --> 00:01:34,473 from that moment on. 33 00:01:35,490 --> 00:01:40,200 One recommendation, use ACLs as an infrastructural solution. 34 00:01:40,200 --> 00:01:41,910 They should be configured on directories 35 00:01:41,910 --> 00:01:43,500 before you start to work with files 36 00:01:43,500 --> 00:01:47,640 in these directories so that you can set default ACLs 37 00:01:47,640 --> 00:01:50,580 and all the files that you will create from that moment on 38 00:01:50,580 --> 00:01:54,240 will get the the appropriate ACL permissions. 39 00:01:54,240 --> 00:01:55,353 Let me demonstrate. 40 00:01:59,160 --> 00:02:01,560 So to do this demo I need to create a group, 41 00:02:01,560 --> 00:02:06,560 groupadd, account, and I need to create directory. 42 00:02:06,990 --> 00:02:11,990 Mkdir -p /data /sales. 43 00:02:13,830 --> 00:02:15,470 And we also need a sales group. 44 00:02:15,470 --> 00:02:17,970 So groupadd sales. 45 00:02:17,970 --> 00:02:20,010 Now I'm taking care of the basic permissions 46 00:02:20,010 --> 00:02:21,270 on the directory. 47 00:02:21,270 --> 00:02:26,270 So that would be chgrp sales on data sales. 48 00:02:28,380 --> 00:02:31,200 To make the group sales owner of the directory. 49 00:02:31,200 --> 00:02:36,200 And chmod like 770 on data sales. 50 00:02:37,380 --> 00:02:39,900 Let's do an ls - ld on data sales 51 00:02:39,900 --> 00:02:42,243 to monitor the current settings. 52 00:02:43,080 --> 00:02:44,100 And there we go. 53 00:02:44,100 --> 00:02:46,800 So as you can see, the group sales is group owner. 54 00:02:46,800 --> 00:02:48,651 We don't care about user owner. 55 00:02:48,651 --> 00:02:52,380 Permission mode is set to 770. 56 00:02:52,380 --> 00:02:54,360 Now I'm going to create a couple of files. 57 00:02:54,360 --> 00:02:58,973 So touch /data/sales/file 58 00:03:00,249 --> 00:03:02,749 1..10. 59 00:03:04,740 --> 00:03:07,770 And again ls-ld on data sales. 60 00:03:07,770 --> 00:03:09,690 And there we can see all of these sales. 61 00:03:09,690 --> 00:03:12,180 Good. Now I'm going to take care of my ACL. 62 00:03:12,180 --> 00:03:17,180 So setfacl -R for recursive -M for modify 63 00:03:17,340 --> 00:03:22,340 g:account: r uppercase X on data sales. 64 00:03:24,780 --> 00:03:27,730 In case you are thinking the uppercase X is not a typo 65 00:03:28,650 --> 00:03:32,580 because if you do a recursive access control lists 66 00:03:32,580 --> 00:03:35,250 then you need the execute permission to be set 67 00:03:35,250 --> 00:03:37,230 on sub directories but not on files 68 00:03:37,230 --> 00:03:39,783 and that's exactly what the uppercase X is doing. 69 00:03:41,910 --> 00:03:44,100 Without the uppercase X you will now see 70 00:03:44,100 --> 00:03:46,080 an execute permission on all of these files. 71 00:03:46,080 --> 00:03:49,710 You don't want that but we have the uppercase X. 72 00:03:49,710 --> 00:03:52,380 We did not have any sub directories here 73 00:03:52,380 --> 00:03:54,120 but in case we would have sub directories 74 00:03:54,120 --> 00:03:56,520 and the sub directory will be read executable 75 00:03:56,520 --> 00:03:58,230 for the account group. 76 00:03:58,230 --> 00:03:59,310 Good. 77 00:03:59,310 --> 00:04:02,280 Now we are going to investigate. 78 00:04:02,280 --> 00:04:07,230 Getfacl on data sales file1 79 00:04:08,340 --> 00:04:09,510 and what do we see? 80 00:04:09,510 --> 00:04:12,300 Well we see that the group account has reached permissions 81 00:04:12,300 --> 00:04:14,790 and that's exactly what we wanted. 82 00:04:14,790 --> 00:04:17,940 Now let's take care of the default ACL assignment. 83 00:04:17,940 --> 00:04:21,033 That will be setfacl -m d: 84 00:04:22,350 --> 00:04:27,203 g:account: rx on data sales. 85 00:04:28,650 --> 00:04:29,820 Now what is the result? 86 00:04:29,820 --> 00:04:33,540 Well the result is that if I am going to create a new file, 87 00:04:33,540 --> 00:04:37,330 touch/data/sales/newfile 88 00:04:38,970 --> 00:04:43,593 and then I'm using a getfacl on newfile. 89 00:04:45,990 --> 00:04:49,830 Then you can see the default ACL has been applied. 90 00:04:49,830 --> 00:04:54,420 So new file has the group account with read and execute. 91 00:04:54,420 --> 00:04:57,210 Now in the default ACL you don't need an uppercase X 92 00:04:57,210 --> 00:04:59,790 because the default ACL comes with a mask 93 00:04:59,790 --> 00:05:01,980 and the mask is automatically filtering out 94 00:05:01,980 --> 00:05:03,480 the execute permission. 95 00:05:03,480 --> 00:05:06,060 And that is why group account effectively 96 00:05:06,060 --> 00:05:07,830 has read permissions on the file 97 00:05:07,830 --> 00:05:10,893 that I just created and that's how it works.