ACL on UNIX - 24 Jul 2008

      On the Windows platform, security administrators can take advantage of a very robust framework when working with file and folder ACLs and assign access permissions to resources by using a strategy known as AGDLP. The acronym stands for the practice of putting accounts (A) into global (G) groups, which are members of domain local (DL) groups, which are assigned permissions (P) on objects. Using the AGDLP strategy makes adding and removing access to users and groups a snap because you don't need to reapply permissions. Many auditors love the AGDLP model as it means they can largely focus on auditing the centralized database, Active Directory (AD).

      In Linux, however, AGDLP becomes more difficult to enforce because most traditional installations only support very broad access control consisting of three levels: owner, group, and “other.” Using this model, you're limited to only a single group from which to base your permissions (e.g., Read or Write) and then grant those permissions to other groups and users by making them members of that original group. But you can get granular access control that mimics several steps of the AGDLP process for UNIX systems by using a package of tools and file systems known as ACL.

ACL on UNIX

ACL has been available to the UNIX community for many years but perhaps isn't well known, especially to Windows admins new to managing UNIX variants. The ACL package is based on POSIX.1.e, which defines various security standards within UNIX systems, including how to handle discrete access control lists. (POSIX is a collection of IEEE standards specifying how software should operate on various UNIX systems.)

      Although ACL has been around for years, not every UNIX variant supports it. Even within a supported OS and file system, you must be cautious which file tools you use or you might strip the ACL from a file. However, if you want to grant fine-grained access controls to a file, ACL provides richness not otherwise available to you.

Using ACL

Let’s walk through an example to get a feel for how to use the ACL package. Let's say you're responsible for the centralized firewall logs and you want to grant a series of access permissions to various groups. The firewall logs are stored in the directory /var/log/hosts.

      For your networking team, you decide to provide read-only access; your log file admins who regularly maintain the logs get read/write access. To accomplish this, create two groups: fwlog-reader and fwlog-author. For the fwlog-reader group, you'll assign read-only access. For the fwlog-author group, you'll assign read/write access. To create these groups, run this command:

sudo addgroup fwlog-reader

sudo addgroup fwlog-author

      I'll walk you through installing and configuring the ACL package in a moment, then you'll use the command setfacl to apply unique permissions to the firewall logs for each of these groups. You'll then be free to add or remove individuals from the membership of these groups without having to reset the permissions of the files. (Plus, if your UNIX systems are AD aware and these groups are domain local groups, then your auditing of the membership becomes simpler too as the groups are in one location and stored in AD instead of stored on the individual servers.)

      In this example we’ll walk through the steps of installing and configuring ACL using Ubuntu 7.10 with the 2.6 kernel and an EXT3 file system. Other Linux distributions and UNIX variants support ACL (e.g., XFS, ReiserFS file systems, and more recently EXT2 and EXT3 file systems), but that support varies significantly, so it’s important you review the ACL implementation for your specific platform and also review which tools you want to use with your ACL extended files.

      First, install the ACL package using Ubuntu’s package manager aptitude by running the command

sudo aptitude install acl

Next, enable ACL for each partition where you want to set the extended file attributes. Do this by editing the file /etc/fstab. This is the critical file-system table. I recommend you make a backup first and be careful when editing. While you're learning about ACL for your variant of UNIX (or UNIX-like system), I recommend testing on a non-critical partition in case something goes awry, so you can recover without losing access to your system. I also recommend testing and learning using a virtual machine (VM) guest that you’ve taken a snapshot of prior to making any changes. If you make a catastrophic change, you can quickly revert to the snapshot.

      The fstab file varies by Linux system but generally contains the name of the device, the mount point, type, options, the archiving schedule, and the order a volume is scanned for errors. To activate ACL support for a specific partition, you need to add the ACL option to its entry. For example, in our test system, the root directory is mounted to the device /dev/sda1. Your installation will vary, but look for the options—in this case, defaults,errors=remount-ro—and add the option acl, which in this case would look like this:

/dev/sda1/ ext3acl,defaults,errors=remount-ro 0 1

You shouldn't edit anything else in the file, nor should you change other parts of the entry. You're simply adding the option acl. Also, your fstab might look different because recent versions of some Linux variants also now support Universal Unique Identifiers (UUID) instead of the device, so be careful and do some research if the contents of your fstab aren't familiar to you.)

      Next, remount your partition or if you set ACL on an in-use partition, reboot your system.

At this point your partition supports setting of file-level ACLs.

      To set and view the ACLs on a file, run the commands setfacl and getfacl, respectively. Before we set any new ACLs, let's view the current ACLs on our target directory by running this command:

jeff@ubuntu:/var/log$ getfacl hosts

The command returns the user, group, and other permissions of the traditional UNIX permission model. In this example, only root has access to the directory:

# file: hosts

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

      Now, let’s set the ACL for our two new groups by running this command:

sudo setfacl -m group:fwlog-reader:r /var/log/hosts

sudo setfacl -m group:fwlog-author:rw /var/log/hosts

The parameter -m instructs the program to modify an existing ACL. (You can specify the parameter -x to remove an ACL.) The next triplet of parameters separated by colons specifies whether to modify (or add) a user or group, the name of that user or group, and the permissions you wish to grant—either read (r), write (w), or execute (x). The first command above, for example, instructs the program to add the group named fwlog-reader with read-only access to the directory /var/log/hosts.

      Now, when you rerun getfacl like this

jeff@ubuntu:/var/log$ getfacl hosts

you can see the new ACLs:

# file: hosts

# owner: root

# group: root

user::rwx

group::r-x

group:fwlog-reader:r--

group:fwlog-author:rw-

mask::rwx

other::r-x

      Now, users who are members of either the fwlog-reader or fwlog-author groups have permissions to access files within that folder appropriate to their role. Other features of ACL allow mass processing of many files and folders as well as support to back up and restore your newly-set ACLs. You might want to check out the ACL man (manual) page as well as search the web for other examples of how to configure and use this very useful package.