How to use POSIX ACLs to control access to files and directories - File Storage NAS

This topic describes how to use Portable Operating System Interface (POSIX) access control lists (ACLs) to manage fine-grained access to files and directories in an NFSv3 file system.

Prerequisites

An NFSv3 file system is mounted. For more information, see Mount an NFS file system on a Linux ECS instance.

Command description

Before configuring POSIX ACLs, it is helpful to be familiar with the following commands. The following table describes the commands.

Command	Description
getfacl <filename>	Queries the ACL that applies to the specified file.
setfacl -m g::w <filename>	Grants the write permission (`w`) to the file's owning group.
setfacl -m u:player:w <filename>	Grants the write permission (w) to the user player.
setfacl -m g:players:rwx <filename>	Grants the read, write, and execute permissions to the players group.
setfacl -x g:players <filename>	Revokes permissions from the players group.
getfacl file1 \| setfacl --set-file=- file2	Copies the ACL for the file1 file to the file2 file.
setfacl -b file1	Removes all extended ACEs from the file1 file. The base ACEs of the owner, group, and others are retained.
setfacl -k file1	Removes all default ACEs from the file1 file.
setfacl -R -m g:players:rw dir	Grants the read and write permissions on the files and subdirectories in the dir directory to the players group.
setfacl -d -m g:players:rw dir1	Grants the read and write permissions on the new files and subdirectories in the dir1 directory to the players group.

Procedure

Follow these steps to configure POSIX ACLs for access control:

Create users and groups.
In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.
```
sudo useradd player
sudo groupadd players
sudo usermod -g players player
sudo useradd admini
sudo groupadd adminis
sudo usermod -g adminis admini
sudo useradd anonym
```

Configure POSIX ACLs to control access to files and directories.

The following commands create a directory named dir0 and configure its ACLs with these rules:

The players group gets read and execute permissions (r-x).
The adminis group gets read, write, and execute permissions (rwx).
The owning user and "others" have no permissions (---).

sudo umask 777
sudo mkdir dir0
sudo setfacl -m g:players:r-x dir0
sudo setfacl -m g:adminis:rwx dir0
sudo setfacl -m u::--- dir0
sudo setfacl -m g::--x dir0
sudo setfacl -m o::--- dir0
sudo setfacl -d -m g:players:r-x dir0
sudo setfacl -d -m g:adminis:rwx dir0
sudo setfacl -d -m u::--- dir0
sudo setfacl -d -m g::--x dir0
sudo setfacl -d -m o::--- dir0

Run the sudo getfacl dir0 command to verify the configuration.

# file: dir0
# owner: root
# group: root
user::---
group::--x
group:players:r-x
group:adminis:rwx
mask::rwx
other::---
default:user::---
default:group::--x
default:group:players:r-x
default:group:adminis:rwx
default:mask::rwx
default:other::---

Verify the permissions.
1. Run the following commands to verify that the admini user has the read and write permissions:
```
sudo su admini -c 'touch dir0/file'
```
```
sudo su admini -c 'echo 123 > dir0/file'
```
2. Verify that the player user has the read-only permissions.
  1. Verify that the player user does not have the permissions to create the file file.
    For example, attempt to create a file named file in the dir0 directory as the player user.
    - Run the following command:
      sudo su player -c 'touch dir0/file'
    - If output similar to the following is returned, the permission is correctly denied:
      touch: cannot touch 'dir0/file': Permission denied
  2. Verify that the player user has the permissions to view the content of the dir0/file file.
    - Run the following command:
      sudo su player -c 'cat dir0/file'
    - If the command returns the file's content as shown below, the permission is correctly granted:
      123
  3. Verify that the player user does not have the write permissions.
    - Run the following command:
      sudo su player -c 'echo 456 >> dir0/file'
    - If the output is similar to the following information, the player user does not have the write permissions:
      bash: dir0/file: Permission denied
    You can also run the sudo su player -c 'getfacl dir0/file' command to view the permissions that the player user has on the dir0/file file.
    # file: dir0/file # owner: admini # group: adminis user::--- group::--- group:players:r-x group:adminis:rwx mask::rwx other::---
3. Verify that the anonym user does not have permissions on the dir0 directory.
  1. Verify that the anonym user does not have the permissions to view files in the dir0 directory.
    - Run the following command:
      sudo su anonym -c 'ls dir0'
    - If the output is similar to the following information, the anonym user does not have permissions on the dir0 directory:
      ls: cannot open directory dir0: Permission denied
  2. Verify that the anonym user does not have the permissions to view the content of the file.
    - Run the following command:
      sudo su anonym -c 'cat dir0/file'
    - If the output is similar to the following information, the anonym user does not have the permissions to view the content of the file:
      cat: dir0/file: Permission denied
  3. Verify that the anonym user does not have the permissions to access the file.
    - Run the following command:
      sudo su anonym -c 'getfacl dir0/file'
    - If the output is similar to the following information, the anonym user does not have the permissions to access the file.
      getfacl: dir0/file: Permission denied

Related operations

The following method demonstrates how to revoke a user's permissions.

A common best practice for managing permissions is to grant them to groups rather than individual users. This allows you to configure permissions for a group rather than a separate user. To revoke permissions on an object from a user, remove the user from the group that is granted permissions on the object. For example, the following commands remove the admini user from the adminis group and add the user to the adminis2 group.

Run the following command to create the adminis2 group:
```
sudo groupadd adminis2
```
Run the following command to remove the admini user from the adminis group and add the user to the adminis2 group:
```
sudo usermod -g adminis2 admini
```
Query the ID information about the user.
- Run the following command:
```
id admini
```
- The following information is returned:
```
uid=1057(admini) gid=1057(admini) groups=1061(adminis2)
```
Verify the permissions of the admini user.
1. Verify that the admini user does not have the permissions to access the dir0 directory.
  - Run the following command:
```
sudo su admini -c 'ls dir0'
```
  - If the output is similar to the following information, the admini user does not have the permissions to access the dir0 directory:
```
ls: cannot open directory dir0: Permission denied
```
2. Verify that the admini user does not have the permissions to view the content of the dir0/file file.
  - Run the following command:
```
sudo su admini -c 'cat dir0/file'
```
  - If the output is similar to the following information, the admini user does not have the permissions to view the content of the dir0/file file:
```
cat: dir0/file: Permission denied
```
3. Verify that the admini user does not have the permissions to access the dir0/file file.
  - Run the following command:
```
sudo su admini -c 'getfacl dir0/file'
```
  - If the output is similar to the following information, the admini user does not have the permissions to access the dir0/file file:
```
getfacl: dir0/file: Permission denied
```