Note:

• This tutorial is available in an Oracle-provided free lab environment.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Use and Enable ACLs on Oracle Linux

Introduction

Access Control Lists (ACLs) provide access control to directories and files. ACLs can set read, write, and execute permissions for the owner, group, and all other system users.

An ACL consists of a set of rules that specify how a specific user or group can access ACL-enabled files and directories. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only and specifies the default access information for any file within the directory that does not have an access ACL.

When setting a default ACL on a directory, its subdirectories inherit the same rights automatically. You can use ACLs with the btrfs, ext3, ext4, OCFS2, and XFS file systems, as well as mounted NFS file systems.

Objectives

In this tutorial, you’ll learn how to:

• Check file system ACL support
• Use setfacl and getfacl commands to add and display ACL rules

Prerequisites

• Minimum of one Oracle Linux system

• Each system should have Oracle Linux installed and configured with:

  • A non-root user account with sudo access
  • Access to the Internet
  • An additional block device

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

1. Open a terminal on the Luna Desktop.

2. Clone the linux-virt-labs GitHub project.

   git clone https://github.com/oracle-devrel/linux-virt-labs.git
   

3. Change into the working directory.

   cd linux-virt-labs/ol
   

4. Install the required collections.

   ansible-galaxy collection install -r requirements.yml
   

5. Deploy the lab environment.

   ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e add_block_storage=true -e block_count=1
   

   The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.

   The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.

   Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Connect and Format a Block Device

1. Open a terminal and connect via SSH to the ol-node-01 instance.

   ssh oracle@<ip_address_of_instance>
   

2. Verify the block volumes exist.

   sudo lsblk
   

   The command output shows two block devices: sda and sdb.

3. Create a 2G partition on sdb.

   sudo sfdisk /dev/sdb << EOF
   2048,4194304
   EOF
   

   Warning: The sfdisk command creates a new partition on sdb while removing any existing partitions. Ensure you back up the drive if it contains any data you want to keep.

4. Format the new partition.

   sudo mkfs.ext4 /dev/sdb
   

   Answer yes at the prompt, and wait for it to complete.

Mount the File System with ACL Support

1. Create a mount point directory.

   sudo mkdir /test
   

2. Verify ACL support exists.

   Oracle Linux file systems such as ext4, btrfs, and xfs enable the acl mount option as a default. On an ext4 file system such as /dev/sdb, verify this with tune2fs.

   sudo tune2fs -l /dev/sdb | grep -i acl
   

   Example Output:

   [oracle@ol-node01 ~]$ sudo tune2fs -l /dev/sdb | grep -i acl
   Default mount options:    user_xattr acl
   

3. Mount the disk with ACL support.

   If the file system does not have the acl mounting option enabled by default, then pass -o acl when using the mount command. Since /dev/sdb uses ext4, this option is already on by default.

   sudo mount -t ext4 /dev/sdb /test
   

   To make this mount point persistent across reboots, add it to the fstab file.

   MYUUID=$(sudo blkid | grep UUID= | grep sdb | awk '{ print $2 }')
   echo "$MYUUID /test ext4 defaults 0 0" | sudo tee -a /etc/fstab > /dev/null
   

4. Verify the file system mount exists.

   df -T | grep sdb
   

   The output shows the ext4 file system /dev/sdb exists at mount point /test.

Use ACL Functionality

1. Try creating a file under the new mount point.

   touch /test/file1
   

   Example Output:

   touch: cannot touch '/test/file1': Permission denied
   

   The command fails because the oracle user does not have permission to create files in the /test directory.

2. Get the directory’s ACL information.

   sudo getfacl /test
   

   Example Output:

   [oracle@ol-node01 ~]$ sudo getfacl /test
   getfacl: Removing leading '/' from absolute path names
   # file: test
   # owner: root
   # group: root
   user::rwx
   group::r-x
   other::r-x
   

3. Add an ACL rule to the directory.

   sudo setfacl -m u:oracle:rwx /test
   

   The rule grants read, write, and execute permissions to the oracle user.

4. Check the directory’s updated ACL information.

   sudo getfacl /test
   

   Example Output:

   getfacl: Removing leading '/' from absolute path names
   # file: test
   # owner: root
   # group: root
   user::rwx
   user:oracle:rwx
   group::r-x
   mask::rwx
   other::r-x
   

   The output shows the newly added user:oracle:rwx line.

5. Show the long listing format of just the directory.

   ls -ld /test
   

   Example Output:

   drwxrwxr-x+ 3 root root 4096 Jul 13 20:48 /test
   

   The permissions shown in the output include a plus sign (+) indicating the inclusion of an ACL.

6. Try creating the file again.

   touch /test/file1
   

   The command should succeed this time.

7. Confirm the creation of the file.

   ls -l /test
   

Check out the man getfacl or man setfacl pages for additional options and examples.

Next Steps

You should now be able to confirm whether a file system supports the use of ACLs, as well as to use the setfacl and getfacl commands to add and display ACL rules. Check out our other content on the Oracle Linux Training Station.

Related Links

• Oracle Linux Documentation
• Oracle Linux Training Station

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Use and Enable ACLs on Oracle Linux

F60346-02

September 2024

Copyright ©2022,

Oracle and/or its affiliates.