Introduction to Second Extended Filesystem Attributes, Linux Extended Attributes (EA) and Access Control Lists (ACL)

1. Linux Second Extended (ext2) Filesystem Attributes

* Package
  - e2fsprogs

* Files
  /usr/bin/chattr
  /usr/bin/lsattr

* Most common attributes

  - A - When the file is accessed the atime record is not modified. This avoids
    a certain amount of disk I/O.
  - a - When this file is opened, it is opened in append only mode for writing.
  - i - This file cannot be modified, renamed or deleted.

* Examples

  # chattr +i directory/
  # lsattr directory/


2. Linux Extended Attributes

Extended attributes are arbitrary name:value pairs that enables users to
associate files or directories with metadata. This can be used to store system
objects like capabilities of executables and access control lists, as well as
user objects.

* Package
  - attr

* Files
  /usr/bin/attr
  /usr/bin/getfattr
  /usr/bin/setfattr

* Configuration

  # tune2fs -l /dev/sda3 | grep "Default mount options"

  Required option: user_xattr

* Namespaces

  - 'user.*' namespace meant to be used by the user and any application that is
  run by the user. There are no restrictions with regard to naming or
  contents. For example, 'user.creator' keeps the name of the application that
  created the file.

  - 'system.*' namespace is used by ACLs and can only be set with root
  access. For example, 'system.posix_acl_access' and 'system.posix_acl_default'.

  - 'security.*' namespace. For example, SELinux uses the 'security.linux'
  attribute.

  - 'trusted.*' namespace is not supported by the current kernels. For example,
  'trusted.md5sum'.

* Examples

  # setfattr -n user.foo -v bar file
  # getfattr file
  # getfattr -n user.foo file

  # getfattr -n system.posix_acl_access file
  # getfattr -n system.posix_acl_default /directory


3. Access Control Lists

The Red Hat Enterprise Linux 5 kernel provides ACL support for the ext3 file
system and NFS-exported filesystems. ACLs are also recognized on ext3 file
systems accessed via Samba.

Along with support in the kernel, the 'acl' package is required to implement
ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL
information.

ACL is supported by ext2, ext3 and ext4 filesystems. Maximum number of
supported ACL entries is 32.

* Package
  - acl, access control list utilities.

* Files
  /usr/bin/chacl
  /usr/bin/getfacl
  /usr/bin/setfacl

* Configuration

  # tune2fs -l /dev/sda3 | grep "Default mount options"
  Required option: acl

  - Enabling ACL support

  # mount -t ext3 -o acl /dev/sdb5 /home

  or

  File: /etc/fstab
  LABEL=/home /home ext3 rw,acl 1 2

  # mount -v -o remount /home
  # mount -l

* ACL entry types:
  Type              Text Form
  ---
  owner             user::rwx

  named user        user:name:rwx
  owning group      group::rwx
  named group       group:name:rwx

  mask              mask::rwx
  other             other::rwx

ACL entries are examined in the following sequence: owner, named user, owning
group or named group, and other.

ACL equivalent with the file mode permissions bits are called minimal ACLs, and
they have three ACL entries. ACL with more than the three entries are called
extended ACLs, and contain a mask entry.


* Configuring NFS

To disable ACL support for the NFS share include no_acl option in the
/etc/exports file. To disable ACL support on the NFS share when mounting it on a
client, mount it with the no_acl option via the command line or the /etc/fstab
file.


* Samba support


* Retrieving ACLs

  # getfacl 

  - Numeric values:
  # getfacl --numeric 

  Once ACL is configured you will see additional '+' character next to the file
  in the directory listing.


* Configuring Access ACL - User and group access permissions for a specific file or 
directory.

  - Modify the ACL of a file or directory:
  # setfacl -m u:{uid}:{perm} {files}
  # setfacl -m g:{gid}:{perm} {files}

  # setfacl -m u:webadmin:rwx /directory
  # setfacl -m g:psacln:rwx /directory

  - Apply operations recursively.
  # setfacl -R -m u:webadmin:r-w /directory

  - Set the ACL of a file or a directory, replacing the current one:
  # setfacl --set {rules} {files}

  - Remove permissions
  # setfacl -x u:webadmin /directory

  - Remove all permissions
  # setfacl -b /directory
  # setfacl --remove-all /directory


* Configuring Default ACL - Access control list that can be only applied to
directories, if a file within the directory does not have an access ACL, it
uses/inherits the rules of the default ACL for the directory. This ACL is
optional.

  # setfacl -m d:g:psacln:rx- /directory


* Effective rights mask - This entry limits the effective rights granted to all
ACL groups and users. The mask is the union of all permissions of the named
user, owning group and named group entires, and works like a real-time umask.
The permissions defined in the entires owner and other are always effective. The
default mask entry is set to the permissions of the owning group. If the mask is
more restrictive than the ACL permissions then the mask takes precedence.
When an application changes any of the owner, group, or other class permissions
(chmod command), the corresponding ACL entry changes as well.

  - Masking access permissions:
  Entry type: named user, Text form: user:foo:r-x, Permissions: r-x
              mask                   mask::rw-                  rw-
  ---
  Effective permissions: r--


  # setfacl -m u:foo:r-x,g:bar:rwx /directory
  # setfacl -m mask::rw- /directory
  # getfacl /directory

  Use 'rwx' or 'rw-' mask to allow all granted permissions.

  # setfacl -m m::rwx /directory
  # getfacl /directory


* Archiving ACLs

Old  version of tar and dump commands do not backup ACLs. You can archive 
the ACLs with the star utility or with a new version of tar.

* Package
  - star, tar implementation capable of archiving ACLs.

* Example
  # tar --acls

  The cp and mv commands copy or move any ACLs associated with files and
  directories. The cp command will only preserve ACLs if used with the -p or -a
  options.

  ACLs are not supported by editors such as 'Konqueror'.


* Creating backup of the ACL configuration.

  Create the configuration file with the getfacl command. Apply configuration with
  the setfacl -M config /directory command.


* Performance


* Examples

  # umask

  # touch file
  # ls -l file
  # getfacl file

  # setfacl -m u:foo:rw file
  # setfacl -m u:bar:rwx file

  # getfacl file

  # ls -ld file
  An additional '+' character indicates that an ACL has been applied to the
  file or directory.

  # setfacl -m m::rw- file
  # getfacl file
  '#effective' indicates that mask must be changed to preserve desired
  permissions.

  # setfacl -m m::rwx file
  # getfacl file

  # setfacl -m g:bar:rwx file
  # getfacl file

  # chmod g-wx file
  # getfacl file
  # setfacl -m m::rwx file

  # setfacl -m d:baz:rwx /directory
  # getfacl /directory
  Create a file inside of the /directory and verify permissions.

  # getfacl -R /directory > backup.txt
  # setfacl -RM backup.txt /directory

  # setfacl -x u:500 /directory
  # setfacl -Rb /directory


* References

  - Access Control Lists in Linux,
    http://www.suse.de/~agruen/acl/chapter/fs_acl-en.pdf
  - POSIX Access Control Lists on Linux,
    http://www.suse.de/~agruen/acl/linux-acls/online/
  - Using ACLs with Fedora Core 2,
    http://www.vanemery.com/Linux/ACL/linux-acl.html
  - Achieving More Flexible File Permissions Using Solaris ACLs,
    http://www.tech-mavens.com/Publications/solaris_acls.htm
  - Extended attributes, http://wiki.linuxquestions.org/wiki/Extended_attributes
  - Guidelines for extended attributes,
    http://www.freedesktop.org/wiki/CommonExtendedAttributes
  - ext2 extended attributes, http://www.securityfocus.com/infocus/1407
  - Linux Extended Attributes and ACLs, http://acl.bestbits.at/
  - Linux EA/ACL manual pages, http://acl.bestbits.at/man/man.shtml
  - E2fsprogs, Ext2/3/4 Filesystem Utilities, http://e2fsprogs.sourceforge.net/


* Author:	Marcin Pawelkiewicz
* Created:	Tue Oct 13 14:37:00 BST 2009
* Modified:	Wed Nov  4 10:10:31 GMT 2009