November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

RHEL 7 – RHCSA Notes – Create and manage Access Control Lists (ACLs)

The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.

How to know when a file has ACL attached to it

ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.

# ls -l
-rw-r–r-+ 1 root root 0 Sep 19 14:41 file
Viewing ACLs

To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::

# getfacl /tmp/test
# file: test
# owner: root
# group: root
user::rw-
user:john:rw-
user:sam:rwx
group::r–
mask::rwx
other:—
In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :

# getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::r–
other::r–
Creating and Managing FACLs

The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :

# setfacl -m u:john:rw /tmp/test
The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :

# setfacl -m g:accounts:rw /tmp/test
FACLs for multiple user and groups can also be set with single command :

# setfacl -m u:john:rw,g:accounts:rwx /tmp/test
Default ACLs

By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.

To create a default FACL on a directory :

# setfacl -m default:u:john:rw /accounts
Notice the default permissions in the getfacl command :

# getfacl accounts/
# file: accounts/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:john:rw-
default:group::r-x
default:mask::rwx
default:other::r-x
Removing FACLs

To remove ACLs, use the setfacl command with -x option :

# setfacl -x u:john /tmp/test
The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :

# setfacl -b /tmp/test
You can also create a backup of ACLs using getfacl, and restore ACLs using setfacl command. To create the backup, use getfacl -R /dir > file.acls. To restore the settings from the backup file, use setfacl –restore=file.acl

RHEL 7 – RHCSA Notes : Change passwords and adjust password aging for local user accounts

Password configuration

password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :

# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.

# chage oracle
Changing the aging information for oracle
Enter the new value, or press ENTER for the default

Minimum Password Age [14]:
Maximum Password Age [30]:
Last Password Change (YYYY-MM-DD) [2016-08-23]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.

# grep oracle /etc/shadow
oracle:$6$H28sLVDL$iNvp/AvbMeqqrslH2bfmTxJpE6.mO8UNzlIXGB3sp87jZP9dW1DxeoLf2QXR7hkLkomuXbtgO1zPKUEYRY8YI1:15284:14:30:7:::
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.

chage options

Number of options are available in chage command. To list aging information :

# chage -l geek
Last password change : Sep 18, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :

# chage –d 0 geek
authconfig

The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:

# authconfig –test | grep hashing
password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.

# authconfig –passalgo=md5 –update
/etc/login.defs file

/etc/login.defs file provides default user account settings. Default values include:

Location of user mailboxes
Password aging controls
Values for automatic UID selection
Values for automatic GID selection
User home directory creation options
umaskvalue
Encryption method used to encrypt passwords
Sample /etc/login.defs file :

# cat /etc/login.defs
…..
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
……
GID_MIN 1000
GID_MAX 60000
…..
UID_MIN 1000
UID_MAX 60000

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>