Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I learned that, provided I have the right packages and kernel modules (which are already there, for example, in Fedora), I can mount an ext2/3 fs with the "acl" option and then use the getfacl/setfacl command to set permissions on a user/group basis.
Where are those informations saved?
I suppose in the mounted file system, as they should "stay" with the files and folders they are referring to. However, they can NOT be in the inodes, which are already... full with standard Unix permissions.
Moreover, are they lost in case, after setting them, I should mount the same fs WITHOUT the "acl" option? Or do they stay there (where?), with no effect, until the fs gets "acl" mounted again?
I can't speak specifically to linux and ext3, but usually they are stored in the first inode that the file resides on. Consequently, they should still be there if you mount without ACL option. However, if you use a kernel that does not support extended attributes and write to the files system, you could have issues. A warning about ACLs: The acl can go away in certain circumstances. For example, if you set a read-only acl on one of your log files. Don't expect the acl to be there after a log rotate. When that file is deleted, the acl goes away - even if you create a new file with the same name. New file=new inode. Hope this helps.
Quote:
Originally Posted by armandino
I learned that, provided I have the right packages and kernel modules (which are already there, for example, in Fedora), I can mount an ext2/3 fs with the "acl" option and then use the getfacl/setfacl command to set permissions on a user/group basis.
Where are those informations saved?
I suppose in the mounted file system, as they should "stay" with the files and folders they are referring to. However, they can NOT be in the inodes, which are already... full with standard Unix permissions.
Moreover, are they lost in case, after setting them, I should mount the same fs WITHOUT the "acl" option? Or do they stay there (where?), with no effect, until the fs gets "acl" mounted again?
I can't speak specifically to linux and ext3, but usually they are stored in the first inode that the file resides on...
Thanks a lot.
What happens then when you enable acl (by remounting with the acl option) on an existent ext3 filesystem and apply acl rules to files which had been saved before?
Aren't the first inodes already full of data?
Are the data moved from the first inode (to where?) to make space for acl stuff?
Usually, filesystems that have the ability to use acls, generally have space available for acls whether you have them enabled or not. Consequently, if you don't use them, it is space not used within the inode (part of the data structure that makes up the inode). Take a look here: http://www.suse.de/~agruen/acl/linux-acls/online/ Scroll down to the ext2/ext3 section. It should give you some good information. I know that the article is somewhat dated, but it does give some good basic information. I should say that I am not a filesystem developer. My experience with ACLs and Mandatory Access Controls are with a different operating system. So specific implementation issues may be different. I hope that this helps.
Quote:
Originally Posted by armandino
Thanks a lot.
What happens then when you enable acl (by remounting with the acl option) on an existent ext3 filesystem and apply acl rules to files which had been saved before?
Aren't the first inodes already full of data?
Are the data moved from the first inode (to where?) to make space for acl stuff?
What happens then when you enable acl (by remounting with the acl option) on an existent ext3 filesystem and apply acl rules to files which had been saved before?
What Fedora has are extended file attributes for ext3 (and xfs, I suppose) filesystems. This seems similar to acls, but I don't know the relationship between the two. Attrs are used for Secure Linux. To answer the question you asked about acls for attrs, when you enable SELinux, on the next reboot, file attributes are set according to whatever policies are in effect (takes awhile). These extended file attributes do not need to be enabled with a special mounting option in Fedora 6 -- they're the default. You see them with "ls -Z".
Actually, when you use ls -Z you see something quite different than ACLs - you see something called type enforcement. It is similar to MAC (Mandatory Access Control) labels. The relationship of extended attributes and acls is that both are stored in the inodes and both are used to enhance security on various operating systems. Extended Attributes are not specifically for securing linux, but are a tool to that end. Having extended attributes doesn't secure a linux system. The application of extended attributes can help secure a linux system. Yes xfs has extended attributes as well as ACLs.
Quote:
Originally Posted by GregLee
What Fedora has are extended file attributes for ext3 (and xfs, I suppose) filesystems. This seems similar to acls, but I don't know the relationship between the two. Attrs are used for Secure Linux. To answer the question you asked about acls for attrs, when you enable SELinux, on the next reboot, file attributes are set according to whatever policies are in effect (takes awhile). These extended file attributes do not need to be enabled with a special mounting option in Fedora 6 -- they're the default. You see them with "ls -Z".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.