Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-10-2015, 07:25 AM
|
#1
|
LQ Newbie
Registered: Sep 2011
Posts: 4
Rep:
|
Does regular linux installation in fact uses any ACLs in any file/dir?
First, Hi to all!
As the title says I wonder if the usual (in my case Ubuntu 14.04 LTS) linux installation root does in fact uses any of the ACLs possible extensions in any of its files/dirs
I ask this because I usually use tar to backup the entire root (in offline) with a command like this (root mode):
# tar -cpS --numeric-owner --anchored --exclude={dev,proc,sys,run,tmp}/\* !(lost+found) | pigz > /mydir/myroot.tar.gz
But lately I have "surfed" the ACL argument and reading the fact that tar doesn't read them I wonder if in fact the regular linux install scenario really uses them or not.
So I would not need any alternative to tar, which I would like to avoid if I can...
Anyway I need to store the FS in a file, so rsync isn't an option.
Thank you
|
|
|
09-10-2015, 09:26 AM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
By default file ACLs are not in use - they're usually something you turn on to do more granular permission controls than is allowed by the standard file modes (see chmod).
It appears tar will store ACL information if you use the --acls flag:
--acls this option causes tar to store each file’s ACLs in the archive.
FYI:
The term ACL is used in other contexts (e.g. in BIND and Apache configuration) so may not always refer to the file ACLs which you appear to be questioning.
|
|
|
09-10-2015, 11:56 AM
|
#3
|
LQ Guru
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573
|
I can't speak for Ubuntu, but OpenSUSE does use ACLs by default in /var/log/journal.
|
|
|
09-10-2015, 02:14 PM
|
#4
|
LQ Newbie
Registered: Sep 2011
Posts: 4
Original Poster
Rep:
|
Nice to hear, now I guess that anyway for safety I should setup a command line with "getfacl" to get those ACLs which aren't redundant to basic user/permission assignments.
I mean not redundant as I see that "getfacl" normally outputs also standard unix ones
|
|
|
09-11-2015, 12:43 AM
|
#5
|
Member
Registered: Sep 2004
Location: Japan
Distribution: RHEL9.4
Posts: 735
Rep:
|
getfacl should show pretty much the same as ls -l.
The above post is the firt time I hear about a distro setting acls, but nothing is impossible.
In all honesty, selinux and basic rwx permissions work fine for most. Acls are great for if you wish to have a specific group or user access files or want to deny access by default etc. A good example will be a directory tree where you do not want anyone to write data in the third directory. Your manager complains because he needs to update time schedules but due to other restrictions you cannot have him join the group, say because there is sensitive information put there by his supperiors. In that case you can leave the normal file permissions but give an extra bit of permission to him to complete just that one specific small task.
I would really not bother setting bash to be controlled by acls. That could have undesired effects. Just make sure your basic permisions are good for a start. If you are at home, using the pc at home, acls won't help you much. The main threat comesfrom outside so firewall and selinux are better to spend time on.
If you really want to get users to be cornered, just add load the user as a guest selinux profile. That will pretty much make the account useless.
Apparmor should have something similar, unfortunately I have never touched or looked at apparmor.
Last edited by ericson007; 09-11-2015 at 12:45 AM.
|
|
|
09-11-2015, 11:58 AM
|
#6
|
LQ Newbie
Registered: Sep 2011
Posts: 4
Original Poster
Rep:
|
When I said "for safety" I was a bit misleading, actually I meant being sure to grab all file-system permissions to avoid screwing something inside system root.
Anyway thanks for your sharing, ericson007.
In linux, given that you readed up the basics of a system storage/boot then grabbing -> templating -> deploying/cloning FS roots is like playing with a toy
Everything is modular, integrated, engineered, standardized... I'm in the free *nix software bandwagon since 2011 and I still get stunned from to time to time in new things (new to me) and possibilities I discover in my path
|
|
|
09-11-2015, 06:32 PM
|
#7
|
Member
Registered: Sep 2004
Location: Japan
Distribution: RHEL9.4
Posts: 735
Rep:
|
I truly agree with that. It never takes me long to realize i actually know nothing about linux. There is always something... then the tinkering and broken systems start rolling in. Lol.
|
|
|
09-17-2015, 07:43 AM
|
#8
|
LQ Guru
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573
|
Quote:
Originally Posted by ericson007
The above post is the firt time I hear about a distro setting acls, but nothing is impossible.
|
I don't have a lot of experience with systemd-journald, but I think it's standard. From here:
Quote:
Journal files are, by default, owned and readable by the
"systemd-journal" system group but are not writable. Adding a user to
this group thus enables her/him to read the journal files.
By default, each logged in user will get her/his own set of journal
files in /var/log/journal/. These files will not be owned by the
user, however, in order to avoid that the user can write to them
directly. Instead, file system ACLs are used to ensure the user gets
read access only.
|
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 06:35 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|