LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 09-10-2015, 07:25 AM   #1
man-walking
LQ Newbie
 
Registered: Sep 2011
Posts: 4

Rep: Reputation: Disabled
Does regular linux installation in fact uses any ACLs in any file/dir?


First, Hi to all!

As the title says I wonder if the usual (in my case Ubuntu 14.04 LTS) linux installation root does in fact uses any of the ACLs possible extensions in any of its files/dirs

I ask this because I usually use tar to backup the entire root (in offline) with a command like this (root mode):

# tar -cpS --numeric-owner --anchored --exclude={dev,proc,sys,run,tmp}/\* !(lost+found) | pigz > /mydir/myroot.tar.gz

But lately I have "surfed" the ACL argument and reading the fact that tar doesn't read them I wonder if in fact the regular linux install scenario really uses them or not.
So I would not need any alternative to tar, which I would like to avoid if I can...
Anyway I need to store the FS in a file, so rsync isn't an option.

Thank you
 
Old 09-10-2015, 09:26 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
By default file ACLs are not in use - they're usually something you turn on to do more granular permission controls than is allowed by the standard file modes (see chmod).

It appears tar will store ACL information if you use the --acls flag:
--acls this option causes tar to store each file’s ACLs in the archive.


FYI:
The term ACL is used in other contexts (e.g. in BIND and Apache configuration) so may not always refer to the file ACLs which you appear to be questioning.
 
Old 09-10-2015, 11:56 AM   #3
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142
I can't speak for Ubuntu, but OpenSUSE does use ACLs by default in /var/log/journal.
 
Old 09-10-2015, 02:14 PM   #4
man-walking
LQ Newbie
 
Registered: Sep 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Nice to hear, now I guess that anyway for safety I should setup a command line with "getfacl" to get those ACLs which aren't redundant to basic user/permission assignments.
I mean not redundant as I see that "getfacl" normally outputs also standard unix ones
 
Old 09-11-2015, 12:43 AM   #5
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: RHEL9.4
Posts: 735

Rep: Reputation: 154Reputation: 154
getfacl should show pretty much the same as ls -l.

The above post is the firt time I hear about a distro setting acls, but nothing is impossible.

In all honesty, selinux and basic rwx permissions work fine for most. Acls are great for if you wish to have a specific group or user access files or want to deny access by default etc. A good example will be a directory tree where you do not want anyone to write data in the third directory. Your manager complains because he needs to update time schedules but due to other restrictions you cannot have him join the group, say because there is sensitive information put there by his supperiors. In that case you can leave the normal file permissions but give an extra bit of permission to him to complete just that one specific small task.

I would really not bother setting bash to be controlled by acls. That could have undesired effects. Just make sure your basic permisions are good for a start. If you are at home, using the pc at home, acls won't help you much. The main threat comesfrom outside so firewall and selinux are better to spend time on.

If you really want to get users to be cornered, just add load the user as a guest selinux profile. That will pretty much make the account useless.

Apparmor should have something similar, unfortunately I have never touched or looked at apparmor.

Last edited by ericson007; 09-11-2015 at 12:45 AM.
 
Old 09-11-2015, 11:58 AM   #6
man-walking
LQ Newbie
 
Registered: Sep 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
When I said "for safety" I was a bit misleading, actually I meant being sure to grab all file-system permissions to avoid screwing something inside system root.
Anyway thanks for your sharing, ericson007.

In linux, given that you readed up the basics of a system storage/boot then grabbing -> templating -> deploying/cloning FS roots is like playing with a toy
Everything is modular, integrated, engineered, standardized... I'm in the free *nix software bandwagon since 2011 and I still get stunned from to time to time in new things (new to me) and possibilities I discover in my path
 
Old 09-11-2015, 06:32 PM   #7
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: RHEL9.4
Posts: 735

Rep: Reputation: 154Reputation: 154
I truly agree with that. It never takes me long to realize i actually know nothing about linux. There is always something... then the tinkering and broken systems start rolling in. Lol.
 
Old 09-17-2015, 07:43 AM   #8
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142
Quote:
Originally Posted by ericson007 View Post
The above post is the firt time I hear about a distro setting acls, but nothing is impossible.
I don't have a lot of experience with systemd-journald, but I think it's standard. From here:
Quote:
Journal files are, by default, owned and readable by the
"systemd-journal" system group but are not writable. Adding a user to
this group thus enables her/him to read the journal files.

By default, each logged in user will get her/his own set of journal
files in /var/log/journal/. These files will not be owned by the
user, however, in order to avoid that the user can write to them
directly. Instead, file system ACLs are used to ensure the user gets
read access only.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
system call to set file ACLs in linux sharad Linux - Kernel 2 04-25-2019 06:06 AM
file system and ACLs pedor Linux - Security 1 01-10-2014 11:26 AM
[SOLVED] Read file names in a Dir and its Sub Dir in Perl sagarkha Programming 2 04-28-2010 05:58 PM
broadcom nic driver installation fails-no such file and dir pgb205 Red Hat 2 07-20-2009 10:56 AM
crazy question re isos versus regular dir jerrydbay Slackware - Installation 3 04-02-2006 05:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 06:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration