Access Control List (Demo)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey Cybrarians, welcome back to
00:00
the Linux plus course here at Cybrary.
00:00
I'm your instructor [inaudible].
00:00
In today's lesson, we're going to be
00:00
covering access control lists.
00:00
Upon completion of today's lesson,
00:00
you're going to be able to understand the purpose of
00:00
access control lists or ACLs as we abbreviate that.
00:00
We're going to talk about how to identify
00:00
an object that has an ACL applied.
00:00
Then we're going to use the getfacl and
00:00
setfacl commands to work with access control lists.
00:00
Access control lists or ACLs,
00:00
are what we use to overcome the limitations that are
00:00
inherent in using basic Linux permissions.
00:00
Those limitations are there when you're
00:00
working with basic permissions,
00:00
you can only apply permissions to
00:00
a single account or group.
00:00
But with ACLs, you can specify a list of
00:00
multiple users or groups
00:00
and their permissions to any object.
00:00
As a bonus, ACLs use the same basic read, write,
00:00
and execute permission bits that we've seen so
00:00
far when we're setting those permissions.
00:00
How can you determine if one of
00:00
these objects has an ACL set on it, right?
00:00
How do you spot ACLs in the wild?
00:00
Well, objects that have an ACL have
00:00
another character after the standard
00:00
permission set, the period.
00:00
You can see that on the directory,
00:00
starts with dr-x, so on and so forth.
00:00
At the end is a period,
00:00
same thing with link, same thing with a file.
00:00
Anything that has a period after it,
00:00
has an ACL applied.
00:00
Now, one thing to note
00:00
though is that when you're in CentOS,
00:00
most of the root level directories
00:00
already have an ACL apply.
00:00
That means that any file you create
00:00
will inherit that ACL.
00:00
It's just something to note, it's not an issue.
00:00
But if you're wondering why is there a dot
00:00
here at the end and you're working in CentOS,
00:00
it just gets it by default.
00:00
Where does one see an access control list?
00:00
Well, you can see it by using the getfacl command,
00:00
and you just specify getfacl,
00:00
and then the name of the object that you want to
00:00
see the access control is for.
00:00
In this case, we do getfacl file and we can
00:00
see that this file just has basic generic permissions.
00:00
In this case, user in group have read,
00:00
write, and the other has read.
00:00
We can set or modify
00:00
these permissions using this setfacl command,
00:00
so we do setfacl- m and then we specify
00:00
user group or other for our symbolic notation,
00:00
the name of the user or group, and then the r,
00:00
w, x permissions, and
00:00
then the object we want to change.
00:00
Let's take a closer look at all of
00:00
this with some demo time.
00:00
Okay, so here we are over
00:00
in our CentOS environment again today.
00:00
For today, we're going to go
00:00
ahead and create a new file.
00:00
We'll call it ACL file and this
00:00
is the file that we're going to pick on today.
00:00
Now if you do an ls-al on ACL file,
00:00
we can see that it already has
00:00
a period after it. Why is this?
00:00
It's like I just said, ACLs
00:00
get inherited from the default file permissions.
00:00
So in this case, it got inherited from the default
00:00
ACL on my user account directory.
00:00
We can actually see what is set on this by doing
00:00
a getfacl on ACL file.
00:00
We can see that by default, it just has
00:00
very basic permissions, read,
00:00
write for the user and group,
00:00
and read for the other
00:00
and that's because I created it as my user.
00:00
If we created it as root, it would be read, write,
00:00
and then read and read
00:00
because of the [inaudible] for that.
00:00
If we wanted to add another user,
00:00
let's say we want to add the user Engine X,
00:00
but I don't want to add them to the group Rob,
00:00
because that's my group, it's just for me.
00:00
But for whatever reason, Engine X,
00:00
this user needs to have access to this file.
00:00
We can do that.
00:00
We can give just the user access to the file by
00:00
using setfacl-m for modify,
00:00
and then u for the user,
00:00
in this case it's Engine X.
00:00
Hopefully, I spelled that right.
00:00
I had a little problem with that earlier.
00:00
[LAUGHTER] We're going to change it to read,
00:00
write on ACL file.
00:00
There it goes, it works thankfully.
00:00
Now if we do a getfacl on ACL file, again,
00:00
we see that not only do we have user r,
00:00
w for the default user,
00:00
we also have user Engine X,
00:00
r, w specified here.
00:00
We've given this user
00:00
read-write permissions on this file.
00:00
Now, we couldn't do that normally
00:00
with just our normal basic permissions.
00:00
We don't have the ability to do that.
00:00
To set additional access
00:00
for additional users is just a one and done.
00:00
With the ACLs, with set of ACL,
00:00
we can make these modifications.
00:00
Now, what if we wanted to grant all
00:00
of the other user's read- write access as well?
00:00
We can do that too. We can do setfacl,
00:00
and we want to change this.
00:00
We're going to modify and we're going to say others,
00:00
so all other users RW on ACL file.
00:00
We don't need this extra one here, I apologize.
00:00
Now we do getfacl,
00:00
we see that other has changed from read to read-write.
00:00
Now a last option we'll talk about is really nice,
00:00
is that if you want to remove changes and go
00:00
back to the default ACL,
00:00
you can do that too.
00:00
You can do a setfacl- b acl file.
00:00
Now if we do a getfacl on ACL file again,
00:00
you can see it shows the exact same thing
00:00
it did when we created the file.
00:00
With that, we've reached the end of the lesson.
00:00
In this lesson, we covered the purpose of ACLs.
00:00
We talked about how to identify
00:00
an object that has an ACL applied to it.
00:00
Then we used the getfacl and
00:00
setfacl commands to work with ACLs.
00:00
Thanks so much for being here,
00:00
and I look forward to seeing you in the next lesson.
Up Next
Instructed By
Similar Content
