M01: Introduction to Operating Systems
TU1: Installing, configuring and exploiting a computer system
ASIX1/DAW1
Practical Exercise 7b: ACL (Acces Control List)
11-1-21

Practical Exercise 7b:  ACL (Access Control Lists)

GENERAL CONDITIONS
1-Deadline: 17-1-21
2- Send your report as a PDF file attached to an e-mail with the following specifications:
     a) E-mail address:
cf(at)collados.org or jordi.binefa(at)fje.edu depending who is your teacher
     b) File Name:
        b.1) ASIX1: asix1_surname_name_m01tu01pr7b.pdf
        b.2)
DAW1: daw1_surname_name_m01tu01pr7b.pdf
    c) Subject:
        c.1) ASIX1: asix1_surname_name_m01tu01pr7b
        c.2)
DAW1: daw1_surname_name_m01tu01pr7b
3- Make this report individually.
4- Left, right, top and bottom margins: 2cm.
5- Character format: a) Font: Arial, b) Size: 10, c) Questions typeface: Bold, d) Answers typeface: Regular


DOCUMENTATION

1- Introduction

* Linux supports  method of controlling who can access a file or folder and how they can acces it:

    a) Traditional Linux access permissions,
    b) ACL (Access Control Lists), which provide finer-grained control of access permissions.
Using ACLs  you can specify the ways in which each of several users and groups can access a directory or file.

* Imagine a system with the following users: student00, student01, student02, student03, student04, student05 and student06. In that system, users student01 and student02 are members of a group called sysop.  and the rest of the users are not members of sysop. The user student00 creates a new file called script00.sh. For this new file (script00.sh), the owner (student00) has read, write and execute permissions, the group sysop has read and execution permissions, and the rest of the users (i.e, others) only have the read permission. Now,  we want to grant to student05 the following permissions: read and write (but not execute permission). With traditional Linux permission we cannot give this particular set of permissions to student05 because neither as a member of others nor as a member of sysop that user would have the desired permissions. Therefore, it is clear that sometimes we will need a most sophisticated system of controlling the permissions for files and directories, i.e., we will need to work with ACLs (Access Control Lists).

* Additional (voluntary) reading: https://www.pks.mpg.de/~mueller/docs/suse10.2/html/opensuse-manual_en/manual/sec.acls.handle.html

2- Displaying access permissions: getfacl and ls -l commands


a)
When a file or folder has an ACL, the ls -l command displays a plus sign (+) following the permissions:
student00@computer00:~>ls  -ls  tasks.txt
-rwxr-xr--+ 1 student00 sysop 27 2012-01-12 02:12 tasks.txt
The ls -l command can tell us if a folder or file has an ACL but, that command can not give us information about the ACL associated to that folder or file.

b)
The getfacl command displays the file name, owner, group and the existing ACL for a file:
student00@computer00:~>getfacl  tasks.txt
# file: tasks.txt
# owner: student00
# group: sysop
user::rwx
user:student05:rw-            # The user student05, member of other, has a rule in the ACL for file tasks.txt.
group::r-x
group:vboxusers:rw-         # Members of group vboxusers have another rule in the ACL for file tasks.txt.
mask::rwx
other::r--

3- setfacl  -m

a)
Description: The setfacl command sets ACLs of files and directories. The -m (or --modifiy) option adds o modifies one or more rules in a file or folder's ACL.

b)
Synopsis:  setfacl   -m   ugo:user_or_group_name:permissions   file_or_folder_name

c)
Permissions in numeric mode: A one digit number in octal format (0 to 7):
0 => ---  // 1 => --x // 2 => -w- // 3 => -wx // 4 => r-- // 5 => r-x // 6 => rw- // 7 => rwx

d)
Permissions in symbolic mode:  Symbolic permissions uses characters rwx- (read,write,execute, no permission) to represent file permissions.

e)
Examples:
    setfacl  -m  u:student04:7  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives student04 read, write and execute permissions to that file.
   
setfacl  -m  u:student04:rw-  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives student04 read and write and execute permissions to that file.
    setfacl  -m  g:sysop:r-x  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives sysop read and execute permissions to that file.
    setfacl  -m  o::6  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives others read and write permissions to that file.
    setfacl  -m  u:student04:rx  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives student04 read and execute permissions to that file.
    setfacl  -m  u:student04:rx  folder00 => Adds (or modifies) a rule to the ACL for the folder00 folder that gives student04 read and execute permissions to that folder.
    setfacl  -m  u:student06:5  script00.sh folder00 => Adds (or modifies) a rule to the ACL for the folder00 folder and file  script00.sh that gives student06 read and execute permissions to         that folder and that file.

f)
Recursive option -R for folders. Example: setfacl  -R -m  u:student04:rx  folder00 => Adds (or modifies) a rule to the ACL for the folder00 folder, and every file and folder in folder00.

4- setfacl  -x

a)
Description:
The -x option removes rules in a file or folder's ACL.

b)
Synopsis:
setfacl   -x   ugo:user_or_group_name   file_or_folder_name

c)
Examples:
   
setfacl  -x  u:student04  script00.sh  => Removes a rule that gives student04 permission to access the files script00.sh.
   
setfacl  -x  g:sysop  script00.sh  => Removes a rule that gives sysop permission to access the files script00.sh.
   
setfacl  -x  u:student04  folder00 => Removes a rule that gives student04 permission to access the folder foldert00.
    setfacl  -x  u:student06:5  script00.sh folder00 => Removes a rule that gives student06 permission to access the folder folder00 and the file script00.sh.

d)
Recursive option -R for folders. Example: setfacl  -R -x u:student04  folder00 => Removes a rule that gives student04 permission to access the folder foldert00, and every file and folder in folder00.

5- setfacl  -b

a)
Description:
The -b option removes all ACL rules and the ACL itself from the folder o file you specify.

b)
Synopsis:
setfacl   -b  file_or_folder_name

c)
Examples:
   
setfacl  -b  script00.sh  => Removes all rules, and the ACL itself, from the file script00.sh. Now, the ls -l command will not display a plus sign (+) following the permissions.
   
setfacl  -b  folder00 => Removes all rules, and the ACL itself, from the folder folder00.

d)
Recursive option -R for folders. Example: setfacl  -R -b folder00 => Removes all rules, and the ACL itself, from the folder folder00.

6-  ACL access check

1st check)  If the user working with a file or directory is the owner, then the  owner entry determines access. The process of checking ends. If not.....
2nd check) If the user
working with a file or directory is one of the users (also called named users)  in the list then, the user entry determines access. The process of checking ends. If not.....
3rd check) If the user
working with a file or directory is member of the special group (also called  owning group), the special group determines access. The process of checking ends. If not.....
4th check)
If the user working with a file or directory is member of one of the groups (also called named groups) in the list then, the group entry determines access. The process of checking ends. If not.....
5th check) The other entry determines access.

7- Effective permissions with umask

a) The permissions defined in entries owner and other are always effective.

b) The permissions defined in entry group are mapped to the mask.

c) The permissions for named users and named groups depend on the mask. In order to get the effective permissions you have to perform the logical AND operation on each pair of corresponding permissions. For instance:
 

Entry Type Text Form Permissions
named user  
user : jane : r - x 
r - x
mask mask : : r w - r w -

effective:
r - -

d) In order to change the mask for a file or directory:  setfacl  -m  m::permissions  file_or_folder_name.

e) Example:  setfacl  -m  m::r--  folder00 =>  The command sets the mask to read for folder00.

8- Writing proper sentences about ACL and permissions

Read the following document: About ACL


PRACTICAL EXERCISE
1.- Create a folder called q1 in your home folder. Display the q1 ACL rules. At the moment, Are there any differences between using ls -ls and getfacl?.

2.-
Become fje. Try to add a new folder called fje inside q1. Can you create this folder?. Why?.

3.-
Become your user "by default". Add a new rule (using the symbolic mode) to the ACL for the folder q1 that grants user fje read,write and execute permissions to that folder. Display the q1 ACL rules. Display the permissions of q1 using ls -ls. Is there any difference with regard to the information showed by this command in question 1?

4.-
Become fje. Try to add a new folder called fje inside q1. Can you create this folder?. Why?. Can you remove this folder? Why?.

5.- Become your user "by default". Using the numeric mode, modifiy  the fje's ACL rule for the folder q1. The new ACL will grant user fje read and execute permissions to q1. Display the q1 ACL rules.

6.-
Become fje:
     a) Can you remove the folder fje inside q1?. Why?.
     b) Try to add a folder called fje1 inside q1. Can you create this folder?. Why?.

7.- Become your user "by default". Remove  the  fje's  ACL rule  for the folder q1. Display the q1 ACL rules.

8.-
Remove  the folder q1's ACL.
Display the q1 ACL rules. Display the q1 permissions with ls -ls. Is there any difference with regard to the information showed by this command in question 3?.
 

9.- Do the following tasks:
     a) Create a folder called q9 in your home folder. Create two folders in q9 called q9a and q9b. Create a file called q9a.txt in the folder q9a. Create a file called q9b.txt in the folder q9b.
Add some text to q9a.txt and q9b.txt..
     b) Change recursively with chmod permissions (using the numeric mode) of q9 to rwx for the owner, r-x for the ownig group and --- for others. Show the q9 permission with tree.
     c)
Become fje. Try to change to folder q9b. Can you change to this directory?. Why?.
     d) Create an ACL and simultaneously, add recursively a rule (using the symbolic mode) to the ACL for q9 that grants fje read and execution permissions. Display recursively the ACL of  q9, q9a, q9b, q9a.txt and q9b.txt.
     e)
Become fje. Try to change to folder q9b. Can you change to this directory?. Why?.
     f) As fje, show contents of q9a.txt.
Can you show the contents of this file?. Why?.

10.-
Remove recursively the fje's ACL rule for folder q9. Display recursively the q9 ACL.
Check if the the ACL rule has been removed using ls -R -ls.
 
11.-
Remove
recursively the folder q9 ACL. Display recursively the q9 ACL. What is the difference with regard the results in question 10?. Check if the the ACL has been removed using ls -R -ls. What is the difference with regard the results in question 10?.

12-
Do the following tasks:
     a) Create a folder called q12 in your home directory.

     b) Create an ACL and simultaneously add
a rule (using the numeric mode) to the ACL for q12 that grants fje read and execution.
     c) Set the ACL mask for q12 to r - -. Display the ACL rules for q12.
     d) What are the effective permissions for fje?. Why?.