LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ACLs work on my CentOS server without enabling on the file system as documented (https://www.linuxquestions.org/questions/linux-security-4/acls-work-on-my-centos-server-without-enabling-on-the-file-system-as-documented-933246/)

m223464 03-07-2012 10:43 AM

ACLs work on my CentOS server without enabling on the file system as documented
 
Hi,

I'm trying to teach myself Linux using the RHCSA/RHCE Redhat Linux Certifiation Guide. I'm working through the section on ACLs and I'm not experiencing the behaviour on my CentOS server as described in the guide and would appreciate someone's guidance on this please.

The guide states "Before a file or directory can be configured with ACLs, you need to mount the associated filesystem with the same attribute."
e.g.
# mount -o remount -o acl /dev/sda3 /home

# mount|grep acl
/dev/sda3 on /home type ext4 (rw,acl)
Whilst exploring this feature I have been able to set acls on directories and files in filesystems that haven't been mounted with the acl option, for example:
[root@test ~]# pwd
/root

[root@test ~]# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda5 6.0G 1.8G 3.9G 32% /

[root@test ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
group::r-x
other::---

[root@test ~]# mount|grep acl

[root@test ~]# setfacl -m u:gareth:rwx /root

[root@test ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:gareth:rwx
group::r-x
mask::rwx
other::---

[root@test ~]# su - gareth

[gareth@test ~]$ ls -l /root
total 36
-rw-------. 1 root root 991 Mar 1 19:35 anaconda-ks.cfg
-rw-r--r--. 1 root root 107 Mar 1 19:38 ifcfg-eth0.dhcp
-rw-r--r--. 1 root root 203 Mar 1 20:46 ifcfg-eth0.static
-rw-r--r--. 1 root root 16375 Mar 1 19:34 install.log
-rw-r--r--. 1 root root 5658 Mar 1 19:31 install.log.syslog
[gareth@test ~]$ logout

[root@test ~]# setfacl -b /root

[root@test ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
group::r-x
other::---
Is anyone able to offer any guidance on this? I've trawled the internet and already searched this forus but can't get an answer.

Regards

Gareth

elfenlied 03-07-2012 09:44 PM

Are you trying this inside a KVM virtual machine? There just seems to be some inconsistencies in your post like:

Code:

# mount -o remount -o acl /dev/sda3 /home

# mount|grep acl
/dev/sda3 on /home type ext4 (rw,acl)

But then you're seeing vd* devices later on.

Code:

[root@test ~]# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda5 6.0G 1.8G 3.9G 32% /

Can you just do a mount and post the output of that?

m223464 03-08-2012 04:54 AM

Apologies if the discrepancy between the examples caused confusion. Yes I am using a KVM VM, however, the first example was from the study guide I'm using. Here's some more output to show what I'm experiencing:

# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda5 6.0G 1.8G 3.9G 31% /

# mount
/dev/vda5 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/vda1 on /boot type ext4 (rw)
/dev/vda3 on /home type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

# setfacl -m u:gareth:rwx /root

# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:gareth:rwx
group::r-x
mask::rwx
other::---

zhjim 03-08-2012 05:06 AM

I don't know where the acl's are stored but just because you can set them and get them it does not mean that they are active.

Did you try to access the /root directory with the user gareth? Did it succed?

elfenlied 03-08-2012 06:01 AM

In the output of your "mount" command none of the mount points were mounted with the acl option turned on. So my question would be, the partition where /root lives, has it been mounted with the -o remount,acl option before?

Do the acls actually work ? I know you can set them and get them but are they actually doing what they say they should? Ie while logged in as gareth can you do a "cd /root; ls"?

Just read the post above mine, we pretty much said the same thing.

Reuti 03-08-2012 06:14 AM

With tune2fs you can define defaults which are used during mount. Does the output of:
Code:

# tune2fs -l /dev/sda3 | grep -i acl
show it? In this case it doesn’t need to be used on the command line or in /etc/fstab.

m223464 03-08-2012 08:28 AM

Problem solved.

Thanks for everyone's responses. As Reuti mentions some file systems have acl enabled by default as is the case on my system.

Code:

# tune2fs -l /dev/vda5
tune2fs 1.41.12 (17-May-2010)
Filesystem volume name:  <none>
Last mounted on:          /
Filesystem UUID:          e980b2e3-9753-406e-9fb2-ce1ec068f455
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags:        signed_directory_hash
Default mount options:    user_xattr acl
.
.
.

So despite it not being listed as enabled when I run mount, it is actually enabled.

I tried setting an acl on filesystem that didn't have acls enabled by default and I got this error:

Code:

# setfacl -m u:test:rwx /acltest
setfacl: /acltest: Operation not supported


ryran 03-10-2012 08:35 AM

Glad someone posted the answer.
For as long as I can remember, Anaconda (the installer for RHT distros) has embedded the acl option in all the filesystems it creates.

Aside: If you're learning linux via Red Hat, you should really take advantage of Red Hat's expansive documentation in the form of guides, e.g. the Installation Guide, the Deployment Guide, etc. (Oddly enough though, tune2fs isn't mentioned there, despite being covered in Red Hat's training courses.)

chrism01 03-15-2012 09:20 PM

Actually, it does mention in one of the RHEL manuals, that by default ACLs are enabled on all disks present at INSTALLATION time.
Any other disks added (or created if using eg LVMs), will NOT have ACLs enabled by default.
tune2fs is indeed the tools to check.
Even if 'acl' is mentioned in fstab, it doesn't actually have to be enabled; its just a wish list.. :)

ryran 03-18-2012 11:12 PM

Quote:

Originally Posted by chrism01 (Post 4627917)
Actually, it does mention in one of the RHEL manuals...

I'm going to assume you're referring to the materials that go along with Red Hat's training courses. And of course you'd be right. (For two years I taught RHEL classes for RHT.) What I said still stands though -- Red Hat's training course materials aren't freely available and the awesome guides at docs.redhat.com (or at least the ones I linked to) don't mention anything about this aspect of ACLs, surprisingly.


All times are GMT -5. The time now is 09:05 AM.