LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-07-2012, 10:43 AM   #1
m223464
LQ Newbie
 
Registered: Jul 2007
Posts: 10

Rep: Reputation: 1
ACLs work on my CentOS server without enabling on the file system as documented


Hi,

I'm trying to teach myself Linux using the RHCSA/RHCE Redhat Linux Certifiation Guide. I'm working through the section on ACLs and I'm not experiencing the behaviour on my CentOS server as described in the guide and would appreciate someone's guidance on this please.

The guide states "Before a file or directory can be configured with ACLs, you need to mount the associated filesystem with the same attribute."
e.g.
# mount -o remount -o acl /dev/sda3 /home

# mount|grep acl
/dev/sda3 on /home type ext4 (rw,acl)
Whilst exploring this feature I have been able to set acls on directories and files in filesystems that haven't been mounted with the acl option, for example:
[root@test ~]# pwd
/root

[root@test ~]# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda5 6.0G 1.8G 3.9G 32% /

[root@test ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
group::r-x
other::---

[root@test ~]# mount|grep acl

[root@test ~]# setfacl -m u:gareth:rwx /root

[root@test ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:gareth:rwx
group::r-x
mask::rwx
other::---

[root@test ~]# su - gareth

[gareth@test ~]$ ls -l /root
total 36
-rw-------. 1 root root 991 Mar 1 19:35 anaconda-ks.cfg
-rw-r--r--. 1 root root 107 Mar 1 19:38 ifcfg-eth0.dhcp
-rw-r--r--. 1 root root 203 Mar 1 20:46 ifcfg-eth0.static
-rw-r--r--. 1 root root 16375 Mar 1 19:34 install.log
-rw-r--r--. 1 root root 5658 Mar 1 19:31 install.log.syslog
[gareth@test ~]$ logout

[root@test ~]# setfacl -b /root

[root@test ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
group::r-x
other::---
Is anyone able to offer any guidance on this? I've trawled the internet and already searched this forus but can't get an answer.

Regards

Gareth
 
Old 03-07-2012, 09:44 PM   #2
elfenlied
Member
 
Registered: Dec 2004
Posts: 83

Rep: Reputation: 8
Are you trying this inside a KVM virtual machine? There just seems to be some inconsistencies in your post like:

Code:
# mount -o remount -o acl /dev/sda3 /home

# mount|grep acl
/dev/sda3 on /home type ext4 (rw,acl)
But then you're seeing vd* devices later on.

Code:
[root@test ~]# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda5 6.0G 1.8G 3.9G 32% /
Can you just do a mount and post the output of that?
 
Old 03-08-2012, 04:54 AM   #3
m223464
LQ Newbie
 
Registered: Jul 2007
Posts: 10

Original Poster
Rep: Reputation: 1
Apologies if the discrepancy between the examples caused confusion. Yes I am using a KVM VM, however, the first example was from the study guide I'm using. Here's some more output to show what I'm experiencing:

# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda5 6.0G 1.8G 3.9G 31% /

# mount
/dev/vda5 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_ubject_r:tmpfs_t:s0")
/dev/vda1 on /boot type ext4 (rw)
/dev/vda3 on /home type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

# setfacl -m u:gareth:rwx /root

# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:gareth:rwx
group::r-x
mask::rwx
other::---
 
Old 03-08-2012, 05:06 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,452
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
I don't know where the acl's are stored but just because you can set them and get them it does not mean that they are active.

Did you try to access the /root directory with the user gareth? Did it succed?
 
Old 03-08-2012, 06:01 AM   #5
elfenlied
Member
 
Registered: Dec 2004
Posts: 83

Rep: Reputation: 8
In the output of your "mount" command none of the mount points were mounted with the acl option turned on. So my question would be, the partition where /root lives, has it been mounted with the -o remount,acl option before?

Do the acls actually work ? I know you can set them and get them but are they actually doing what they say they should? Ie while logged in as gareth can you do a "cd /root; ls"?

Just read the post above mine, we pretty much said the same thing.
 
Old 03-08-2012, 06:14 AM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
With tune2fs you can define defaults which are used during mount. Does the output of:
Code:
# tune2fs -l /dev/sda3 | grep -i acl
show it? In this case it doesn’t need to be used on the command line or in /etc/fstab.
 
1 members found this post helpful.
Old 03-08-2012, 08:28 AM   #7
m223464
LQ Newbie
 
Registered: Jul 2007
Posts: 10

Original Poster
Rep: Reputation: 1
Problem solved.

Thanks for everyone's responses. As Reuti mentions some file systems have acl enabled by default as is the case on my system.

Code:
# tune2fs -l /dev/vda5
tune2fs 1.41.12 (17-May-2010)
Filesystem volume name:   <none>
Last mounted on:          /
Filesystem UUID:          e980b2e3-9753-406e-9fb2-ce1ec068f455
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags:         signed_directory_hash 
Default mount options:    user_xattr acl
.
.
.
So despite it not being listed as enabled when I run mount, it is actually enabled.

I tried setting an acl on filesystem that didn't have acls enabled by default and I got this error:

Code:
# setfacl -m u:test:rwx /acltest
setfacl: /acltest: Operation not supported
 
1 members found this post helpful.
Old 03-10-2012, 08:35 AM   #8
ryran
LQ Newbie
 
Registered: Dec 2011
Location: Abu Dhabi
Distribution: Fedora
Posts: 19

Rep: Reputation: Disabled
Glad someone posted the answer.
For as long as I can remember, Anaconda (the installer for RHT distros) has embedded the acl option in all the filesystems it creates.

Aside: If you're learning linux via Red Hat, you should really take advantage of Red Hat's expansive documentation in the form of guides, e.g. the Installation Guide, the Deployment Guide, etc. (Oddly enough though, tune2fs isn't mentioned there, despite being covered in Red Hat's training courses.)
 
Old 03-15-2012, 09:20 PM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,287

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Actually, it does mention in one of the RHEL manuals, that by default ACLs are enabled on all disks present at INSTALLATION time.
Any other disks added (or created if using eg LVMs), will NOT have ACLs enabled by default.
tune2fs is indeed the tools to check.
Even if 'acl' is mentioned in fstab, it doesn't actually have to be enabled; its just a wish list..
 
Old 03-18-2012, 11:12 PM   #10
ryran
LQ Newbie
 
Registered: Dec 2011
Location: Abu Dhabi
Distribution: Fedora
Posts: 19

Rep: Reputation: Disabled
Quote:
Originally Posted by chrism01 View Post
Actually, it does mention in one of the RHEL manuals...
I'm going to assume you're referring to the materials that go along with Red Hat's training courses. And of course you'd be right. (For two years I taught RHEL classes for RHT.) What I said still stands though -- Red Hat's training course materials aren't freely available and the awesome guides at docs.redhat.com (or at least the ones I linked to) don't mention anything about this aspect of ACLs, surprisingly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
enabling file system journal Manjunath1847 Linux - General 5 09-03-2009 08:06 AM
Linux AHCI Enabling - Kernel unable to mount file system. talktoamrat Linux - Hardware 2 08-03-2009 07:42 AM
AHCI enabling -- Kernel unable to mount file system / Device un-identified. talktoamrat Linux - Newbie 1 08-03-2009 05:11 AM
system call to set file ACLs in linux sharad Linux - Kernel 1 03-15-2007 09:53 AM
Read-only file system after enabling/disabling root benn333 Ubuntu 2 02-25-2007 12:42 PM


All times are GMT -5. The time now is 11:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration