I'm attempting to configure the following things via an ACL on CentOS 6:

1. Allow UserX to mount any directory without sudo
2. Allow UserX ability to edit /etc/fstab without sudo

Having never configured an ACL before, I'm not sure where to start. Can anyone offer any assistance?

The Linux ACL site (used to be http://www.bestbits.at/acl/ but moved to http://savannah.nongnu.org/projects/acl), local getfacl and setfacl documentation, LQ and 'net setfacl examples like this, this, this (PDF), this, this or this.


It is not always transparent what being (un)able to execute system commands means. If you like figuring things out for yourself I suggest the following manual pages in no particular order:
- 'man capabilities' (search for CAP_SYS_ADMIN) to see why mounting requires root rights (and as such why /sbin/mount is setuid root),
- 'man 5 fstab' for a terse overview of options used in /etc/fstab (fourth field),
- 'man mount', search for the "users" /etc/fstab option (vs "owner").
From that you'd see that Linux ACL's, as in the fourth field "acl" option, doesn't have anything to do with who is (un)able to mount a file system.


Regardless of your system not being connected to any network or not being used by other users than yourself or you "not caring about security anyway", this should not ever be allowed to not override discretionary access control, DAC for short, the separation of privileges Linux uses for good reason.

Said user needs the ability to create and mount/umount shares without having root access. I assumed an ACL would be able to configure this but if what you say it correct then obviously it isn't possible. I've been reading about adding UserX to the 'fuse' group and then doing a 'fusermount share'. Though I can't seem to get this working.

What's wrong with using sudo; it sounds like just the job for this (at least the mounting anyway)?

It isn't sufficient to my needs because it requires a password when prompted (need the ability to just execute the command without elevating a user's security) and it gives the user power to edit other things which I don't want them to do. It's literally a user where once logged in, they can edit the file systems table and mount/unmount shares without elevating their security.

Access Control Lists (ACL) extend Discretionary Access Control (DAC), the basic, static "rwx" access rights. ACL has no concept of and does not modify any processes.


I pointed you to reading manual pages in my first reply. So by now you should have found 'man sudoers' (and while reading you may not have found the "NOPASSWD" directive.)


Saying that suggests you haven't read 'man capabilities' or haven't understood its implications: some actions just require root rights.


False. Sudo allows for fine-grained control over which user, group, on which host may execute which commands and you can even deny access to certain switches. As far as I'm aware any non-Ubuntu distro by default wouldn't allow unprivileged users carte blance through /etc/sudoers but give examples of per command or per command group configuration.


If automation on login is a requirement then there are PAM modules to look at, if it needs to be scripted or command line then, as chrism01 already said, Sudo is the safest, most efficient, best configurable option.