Does regular linux installation in fact uses any ACLs in any file/dir?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does regular linux installation in fact uses any ACLs in any file/dir?
First, Hi to all!
As the title says I wonder if the usual (in my case Ubuntu 14.04 LTS) linux installation root does in fact uses any of the ACLs possible extensions in any of its files/dirs
I ask this because I usually use tar to backup the entire root (in offline) with a command like this (root mode):
But lately I have "surfed" the ACL argument and reading the fact that tar doesn't read them I wonder if in fact the regular linux install scenario really uses them or not.
So I would not need any alternative to tar, which I would like to avoid if I can...
Anyway I need to store the FS in a file, so rsync isn't an option.
By default file ACLs are not in use - they're usually something you turn on to do more granular permission controls than is allowed by the standard file modes (see chmod).
It appears tar will store ACL information if you use the --acls flag:
--acls this option causes tar to store each file’s ACLs in the archive.
FYI:
The term ACL is used in other contexts (e.g. in BIND and Apache configuration) so may not always refer to the file ACLs which you appear to be questioning.
Nice to hear, now I guess that anyway for safety I should setup a command line with "getfacl" to get those ACLs which aren't redundant to basic user/permission assignments.
I mean not redundant as I see that "getfacl" normally outputs also standard unix ones
getfacl should show pretty much the same as ls -l.
The above post is the firt time I hear about a distro setting acls, but nothing is impossible.
In all honesty, selinux and basic rwx permissions work fine for most. Acls are great for if you wish to have a specific group or user access files or want to deny access by default etc. A good example will be a directory tree where you do not want anyone to write data in the third directory. Your manager complains because he needs to update time schedules but due to other restrictions you cannot have him join the group, say because there is sensitive information put there by his supperiors. In that case you can leave the normal file permissions but give an extra bit of permission to him to complete just that one specific small task.
I would really not bother setting bash to be controlled by acls. That could have undesired effects. Just make sure your basic permisions are good for a start. If you are at home, using the pc at home, acls won't help you much. The main threat comesfrom outside so firewall and selinux are better to spend time on.
If you really want to get users to be cornered, just add load the user as a guest selinux profile. That will pretty much make the account useless.
Apparmor should have something similar, unfortunately I have never touched or looked at apparmor.
Last edited by ericson007; 09-10-2015 at 11:45 PM.
When I said "for safety" I was a bit misleading, actually I meant being sure to grab all file-system permissions to avoid screwing something inside system root.
Anyway thanks for your sharing, ericson007.
In linux, given that you readed up the basics of a system storage/boot then grabbing -> templating -> deploying/cloning FS roots is like playing with a toy
Everything is modular, integrated, engineered, standardized... I'm in the free *nix software bandwagon since 2011 and I still get stunned from to time to time in new things (new to me) and possibilities I discover in my path
I truly agree with that. It never takes me long to realize i actually know nothing about linux. There is always something... then the tinkering and broken systems start rolling in. Lol.
The above post is the firt time I hear about a distro setting acls, but nothing is impossible.
I don't have a lot of experience with systemd-journald, but I think it's standard. From here:
Quote:
Journal files are, by default, owned and readable by the
"systemd-journal" system group but are not writable. Adding a user to
this group thus enables her/him to read the journal files.
By default, each logged in user will get her/his own set of journal
files in /var/log/journal/. These files will not be owned by the
user, however, in order to avoid that the user can write to them
directly. Instead, file system ACLs are used to ensure the user gets
read access only.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.