Linux security - Access Control Lists

mail

ACL

Usage :

ACL support is built in the kernel since the early 2.6 versions and works with the EXTn filesystems (and many others). ACL are based on file extended attributes (= metadata attached to the files).

Preliminary

Before using ACL, we must make sure that :
  1. the kernel supports them : zgrep POSIX_ACL /boot/config* (used to be /proc/config.gz), which may output :
    CONFIG_EXT2_FS_POSIX_ACL=y
    CONFIG_EXT3_FS_POSIX_ACL=y
    CONFIG_EXT4_FS_POSIX_ACL=y
    CONFIG_REISERFS_FS_POSIX_ACL=y
    CONFIG_JFS_POSIX_ACL=y
    CONFIG_XFS_POSIX_ACL=y
    CONFIG_BTRFS_FS_POSIX_ACL=y
    CONFIG_FS_POSIX_ACL=y
    CONFIG_TMPFS_POSIX_ACL=y
    CONFIG_JFFS2_FS_POSIX_ACL=y
    CONFIG_9P_FS_POSIX_ACL=y
  2. the filesystem we're about to play with is mounted with the acl flag (which enables support of the ACL. Just in case : noacl does the opposite) :
    1. check the mount options :
      grep /home /etc/fstab
      /dev/mapper/vg-home	/home	ext4	defaults,noatime	0	2
    2. It's very likely that mount options will only mention defaults, which means use the default mount options as specified by the filesystem itself. So let's view these default mount options (source), as root :
      tune2fs -l $(awk -v filesystem='/home' '$0 ~ filesystem {print $1}' /etc/fstab) | grep 'Default mount options'
      Default mount options:	user_xattr acl

Different types of ACL

Minimal ACL
attributes : owner, group and other only, reflecting the Unix permissions
Extended ACL
  • attributes :
    • owner, group and other attributes (minimal ACL)
    • named user + named group + mask attributes. The named user and named group attributes hold the specific users / groups permissions.
  • Files with extended ACL are displayed with an additional + by ls :
    -rw-r--r--+	1 kevin users	343 2005-02-07 16:53 someFile
Default ACL (details : 1, 2)
  • exist for directories only
  • are access control entries that get inherited by all sub-items of a directory (Do default ACL affect existing files ?)
  • imply extra notions :
    • default ACL : the kind of ACL I'm trying to define here
    • access ACL : ACL entries that define access permissions (i.e. everything else than default ACL). These are prefixed with default: by getfacl (GNU/Linux and Solaris only).

Types of ACL Entries (source)

Entry type Text form
owner user::rwx
named user user:stuart:rwx
owning group group::rwx
named group group:admins:rwx
mask mask::rwx
others other::rwx

Group class permissions (source)

File permissions are usually displayed like :
- rwx rw- r--
where the highlighted bits (the 2nd triad) represent the group class permissions. The group class permissions represent the upper bound of the permissions granted by any entry in the group class :
  • with minimal ACL, the group class only refers to the group attribute, and basically represent the permissions granted to the owning group (traditional Unix permissions)
  • with extended ACL :
    • the group class
      • is the value of the mask attribute
      • works with the named user + named group attributes
    • the effective permissions a member of the group class gets (i.e. either a named user or a named group)
      • are those that are present both in the member permissions and in the mask
      • permissions that are absent in the mask are masked and thus do not take effect
      for a named user for a named group
      group class permissions user:bob:r-x group:developers:r--
      mask mask::rw-
      Effective permissions r-- r--
The owner and other entries are not in the group class : their permissions are always effective and never masked.

Precedence of permissions (sources : 1, 2)

The question of the precedence of the traditional Unix permissions vs ACL is irrelevant since traditional Unix permissions are actually embedded into extended ACL.
When a process requests access to a file system object, 2 actions are triggered :
  1. select the ACL entry that most closely matches the requesting process.
    • ACL entries are looked at in the following order:
      1. owner, based on the process's effective UID
      2. named user, based on the process's effective UID
      3. owning group, named group, based on the process's effective GID
      4. others
    • only a single entry determines access
  2. check if the matching entry contains sufficient permissions

Example :

Read an ACL

getfacl someFile
# file: someFile
# owner: kevin
# group: users
user::rw-
group::r--
mask::rwx
other::r--

modify an ACL : grant user rights

setfacl -m u:bob:rw- file

Do default ACL affect existing files ?

Let's check it :
tmpDir=$(mktemp -d playingWithAcl.XXXX); otherUser='www-data'; mkdir -p "$tmpDir"
echo 'created BEFORE applying default ACL' > "$tmpDir/before"
setfacl -m u:$otherUser:rwx "$tmpDir"
setfacl -d -m u:$otherUser:rwx "$tmpDir"
echo 'created AFTER applying default ACL' > "$tmpDir/after"
getfacl "$tmpDir/"{before,,after}
rm "$tmpDir/"{before,after}; rmdir "$tmpDir"
# file: playingWithAcl.zFLo/before
# owner: bob
# group: developers
user::rw-
group::---
other::---

# file: playingWithAcl.zFLo/
# owner: bob
# group: developers
user::rwx
user:www-data:rwx		effect of setfacl -m u:
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx	effect of setfacl -d -m u:
default:group::---		the other default: entries have been copied from the access ACL
default:mask::rwx
default:other::---

# file: playingWithAcl.zFLo/after
# owner: bob
# group: developers
user::rw-
user:www-data:rwx		#effective:rw-	effect of the default ACL. This also displays the effective permissions.
group::---
mask::rw-
other::---
Answer : nope, existing files are not affected when setting default ACL.

Will grandchildren inherit from a default ACL ?

tmpDir=$(mktemp -d baseDirectory.XXXX); otherUser='www-data'; mkdir -p "$tmpDir"
setfacl -m u:$otherUser:rwx "$tmpDir"
setfacl -d -m u:$otherUser:rwx "$tmpDir"
mkdir -p "$tmpDir/child_dir/grandchild_dir"
touch "$tmpDir/child_file"
touch "$tmpDir/child_dir/grandchild_file"
touch "$tmpDir/child_dir/grandchild_dir/grandgrandchild_file"
getfacl "$tmpDir/"{,child_file,child_dir,child_dir/grandchild_file,child_dir/grandchild_dir,child_dir/grandchild_dir/grandgrandchild_file}
[ -d "$tmpDir" ] && rm -r "$tmpDir"
# file: baseDirectory.uA7J/
# owner: matth
# group: matth
user::rwx
user:www-data:rwx				effect of setfacl -m u:
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx			effect of setfacl -d -m u:
default:group::---
default:mask::rwx
default:other::---

# file: baseDirectory.uA7J/child_file
# owner: matth
# group: matth
user::rw-
user:www-data:rwx	#effective:rw-	access ACL inherited from baseDirectory.
group::---
mask::rw-
other::---

# file: baseDirectory.uA7J/child_dir
# owner: matth
# group: matth
user::rwx
user:www-data:rwx				access ACL inherited from baseDirectory.
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx			default ACL inherited from baseDirectory.
default:group::---
default:mask::rwx
default:other::---

# file: baseDirectory.uA7J/child_dir/grandchild_file
# owner: matth
# group: matth
user::rw-
user:www-data:rwx	#effective:rw-	access ACL inherited from baseDirectory./child_dir
group::---
mask::rw-
other::---

# file: baseDirectory.uA7J/child_dir/grandchild_dir
# owner: matth
# group: matth
user::rwx
user:www-data:rwx				access ACL inherited from baseDirectory./child_dir
group::---
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx			default ACL inherited from baseDirectory./child_dir
default:group::---
default:mask::rwx
default:other::---

# file: baseDirectory.uA7J/child_dir/grandchild_dir/grandgrandchild_file
# owner: matth
# group: matth
user::rw-
user:www-data:rwx	#effective:rw-	access ACL inherited from baseDirectory./child_dir/grandchild_dir
group::---
mask::rw-
other::---
Once a default ACL is set (to a directory ), it's transmitted :
  • as an access ACL to sub-files
  • as a default ACL to sub-directories, which become a new "source" and are able to transmit it again to their sub-elements.
Answer : yes, grandchildren inherit from a default ACL.