Security

Tech Tip: Use ACLs with SGI's XFS file system

Linux file systems offer access control in terms of normal file system permissions. Basic access controls address such areas as group and user ownership and permission differences for users, groups, and the rest of the world.

If you use SGI's XFS file system, you can have extended access control lists (ACLs) on the system. Using these ACLs, you can fine-tune permissions for files that standard Linux file systems and permissions don't allow.

For instance, suppose you want to restrict a program such as su to two users who, while being in the same group, may have other users in the same group. For this example, let's say you have users joe, jim, and bob in the "admin" group.

Now assume that this group has permission to perform various administration functions such as restarting the Web server, mail server, etc. Both jim and joe require root access, but you don't want to give it to bob.

The su program is normally mode 4755, or suid root, and executable by everyone. Using standard Linux tools, you can change this to mode 4700, which is suid root but only executable and read by root. This allows root alone to execute su.

But with using ACLs, we can change this to allow both jim and joe to use su as well. To accomplish this, execute the following:

# setfacl -m u:joe:rx /bin/su
# setfacl -m u:jim:rx /bin/su

This provides extended ACLs on /bin/su that allow both jim and joe to have read and execute permissions to su. Since it's still suid root, su will work as expected. If anyone else tries to use su, the user will simply get a "permission denied" error.

Of course, you must have an XFS file system and the associated XFS userspace tools to use XFS ACLs. To find more information on XFS and to download the tools, check out SGI's Web site.

Editor's Picks

Free Newsletters, In your Inbox