Note:
- This tutorial is available in an Oracle-provided free lab environment.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Use and Enable ACLs on Oracle Linux
Introduction
Access Control Lists (ACLs) provide access control to directories and files. ACLs can set read, write, and execute permissions for the owner, group, and all other system users.
An ACL consists of a set of rules that specify how a specific user or group can access ACL enabled files and directories. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only, and specifies the default access information for any file within the directory that does not have an access ACL.
When setting a default ACL on a directory, its subdirectories inherit the same rights automatically. ACLs can be used with the btrfs
, ext3
, ext4
, OCFS2
, and XFS
file systems, as well as mounted NFS file systems.
Objectives
- Check file system ACL support
- Use
setfacl
andgetfacl
commands to add and display ACL rules
Requirements
A system with an available disk and a fully patched installation of Oracle Linux.
Setup Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
-
If not already connected, open a terminal and connect via ssh to the ol-node01 instance.
ssh oracle@<ip_address_of_instance>
-
Verify the block volumes exist.
sudo lsblk -f
The output for the free lab environment shows two block devices:
sda
, which contains the base OS, andsdb
, which this lab uses. Using the-f
option displays the file system type (FSTYPE) and the blocks universally unique identifier (UUID).
Mount the File System with ACL Support
-
Create a mount point directory.
sudo mkdir /test
-
Verify ACL support exists.
Oracle Linux file systems such as
ext4
,btrfs
, andxfs
enable the acl mount option as a default. On anext4
file system such as/dev/sdb1
, verify this withtune2fs
.sudo tune2fs -l /dev/sdb1 | grep -i acl
Example Output:
[oracle@ol-node01 ~]$ sudo tune2fs -l /dev/sdb1 | grep -i acl Default mount options: user_xattr acl
-
Mount the disk with ACL support.
If the file system does not have the acl mounting option enabled by default, then pass
-o acl
when using themount
command. Since/dev/sdb1
usesext4
, this option is already on by default.sudo mount -t ext4 /dev/sdb1 /test
To make this mount point persistent across reboots, add it to the fstab file.
MYUUID=$(sudo blkid | grep UUID= | grep sdb1 | awk '{ print $2 }') echo "$MYUUID /test ext4 defaults 0 0" | sudo tee -a /etc/fstab > /dev/null
-
Verify the file system mount exists.
df -T | grep sdb1
The output shows the ext4 file system
/dev/sdb1
exists at mount point/test
.
Use ACL Functionality
-
Try creating a file under the new mount point.
touch /test/file1
Example Output:
touch: cannot touch '/test/file1': Permission denied
The command fails because the
oracle
user does not have permission to create files in the/test
directory. -
Get the directory’s ACL information.
sudo getfacl /test
Example Output:
[oracle@ol-node01 ~]$ sudo getfacl /test getfacl: Removing leading '/' from absolute path names # file: test # owner: root # group: root user::rwx group::r-x other::r-x
-
Add an ACL rule to the directory.
sudo setfacl -m u:oracle:rwx /test
The rule grants read, write, and execute permissions to the
oracle
user. -
Check the directory’s updated ACL information.
sudo getfacl /test
Example Output:
getfacl: Removing leading '/' from absolute path names # file: test # owner: root # group: root user::rwx user:oracle:rwx group::r-x mask::rwx other::r-x
The output shows the newly added
user:oracle:rwx
line. -
Show the long listing format of just the directory.
ls -ld /test
Example Output:
drwxrwxr-x+ 3 root root 4096 Jul 13 20:48 /test
The permissions shown in the output include a plus sign (
+
) indicating the inclusion of an ACL. -
Try creating the file again.
touch /test/file1
The command should succeed this time.
-
Confirm the creation of the file.
ls -l /test
Check out the man getfacl
or man setfacl
pages for additional options and examples.
For More Information
See other related resources:
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Use and Enable ACLs on Oracle Linux
F60346-01
July 2022
Copyright © 2022, Oracle and/or its affiliates.