ACL On Linux like Windows Permissions

ACL On Linux like Windows Permissions

Is there something for Linux where you have more advanced controls for linux permissions on users and groups like Windows. Is that what SeLinux is about?

1 Answer

Almost all Unix-like systems support ACLs; on Linux, the POSIX ACL format is used. FreeBSD supports both POSIX and NFSv4 style ACLs (there are periodic attempts to add NFSv4 ACLs to Linux as well).

The POSIX ACL format is mostly just an extension to allow specifying the read/write/execute permissions for several users:

$ setfacl -m u::rw,u:httpd:r,g::- ssl.key$ getfacl ssl.key# owner: root# group: rootuser::rw-user:openldap:r–user:httpd:r–user:postfix:r–group::—mask::r–other::—

Inheritance is done using “default ACLs”:

$ getfacl /var/log/journal/# owner: root# group: systemd-journal# flags: -s-user::rwxgroup::r-xother::r-xdefault:user::rwxdefault:group::r-xdefault:group:adm:r-xdefault:group:wheel:r-xdefault:mask::r-xdefault:other::r-x$ touch /var/log/journal/test$ getfacl /var/log/journal/test# owner: root# group: systemd-journaluser::rw-group::r-x #effective:r–group:adm:r-x #effective:r–group:wheel:r-x #effective:r–mask::r–other::r–

On the other hand, the NFSv4 ACL format would be very similar to that of Windows & NTFS – slightly different principal names (using NFSv4-style user@domain rather than Windows SIDs or DOMAINname), but almost identical permission flags.

Both ACLs and basic Unix permissions are a “discretionary access control” tool – they’re generally set by the object’s owner; if you create a file, you can make it readable to anyone. SELinux, meanwhile, is an implementation of mandatory access control – all SELinux rules are written by the system administrator and cannot be changed by users, even for files they have created. Other such systems are AppArmor, SMACK; Windows Vista has a very basic scheme called Mandatory Integrity Control.

Leave a Reply

Your email address will not be published. Required fields are marked *