The file access control lists (FACLs) or simply ACLs are the list of additional user\/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.<\/p>\n
How to know when a file has ACL attached to it<\/p>\n
ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.<\/p>\n
# ls -l
\n-rw-r–r-+ 1 root root 0 Sep 19 14:41 file
\nViewing ACLs<\/p>\n
To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user\/group permissions are specified using \u201cuser::permission\u201d and \u201cgroup::<\/p>\n
# getfacl \/tmp\/test
\n# file: test
\n# owner: root
\n# group: root
\nuser::rw-
\nuser:john:rw-
\nuser:sam:rwx
\ngroup::r–
\nmask::rwx
\nother:—
\nIn contrast, if you check the ACLs on a a file with \u201cno ACLs\u201d the additional \u201cuser:\u201d lines and \u201cmask\u201d line will not be shown and standard file permissions will be shown. :<\/p>\n
# getfacl test
\n# file: test
\n# owner: root
\n# group: root
\nuser::rw-
\ngroup::r–
\nother::r–
\nCreating and Managing FACLs<\/p>\n
The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file \/tmp\/test :<\/p>\n
# setfacl -m u:john:rw \/tmp\/test
\nThe -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :<\/p>\n
# setfacl -m g:accounts:rw \/tmp\/test
\nFACLs for multiple user and groups can also be set with single command :<\/p>\n
# setfacl -m u:john:rw,g:accounts:rwx \/tmp\/test
\nDefault ACLs<\/p>\n
By setting a default ACL, you\u2019ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.<\/p>\n
To create a default FACL on a directory :<\/p>\n
# setfacl -m default:u:john:rw \/accounts
\nNotice the default permissions in the getfacl command :<\/p>\n
# getfacl accounts\/
\n# file: accounts\/
\n# owner: root
\n# group: root
\nuser::rwx
\ngroup::r-x
\nother::r-x
\ndefault:user::rwx
\ndefault:user:john:rw-
\ndefault:group::r-x
\ndefault:mask::rwx
\ndefault:other::r-x
\nRemoving FACLs<\/p>\n
To remove ACLs, use the setfacl command with -x option :<\/p>\n
# setfacl -x u:john \/tmp\/test
\nThe above command removes the ACL for the user john on the file \/tmp\/test. The ACLs for other user\/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :<\/p>\n
# setfacl -b \/tmp\/test
\nYou can also create a backup of ACLs using getfacl, and restore ACLs using setfacl command. To create the backup, use getfacl -R \/dir > file.acls. To restore the settings from the backup file, use setfacl \u2013restore=file.acl<\/p>\n
RHEL 7 \u2013 RHCSA Notes : Change passwords and adjust password aging for local user accounts<\/p>\n
Password configuration<\/p>\n
password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :<\/p>\n
# chage [options] user_name
\n\u2013 When you fire the command chage, the currently set options are displayed as well.<\/p>\n
# chage oracle
\nChanging the aging information for oracle
\nEnter the new value, or press ENTER for the default<\/p>\n
\tMinimum Password Age [14]:
\n\tMaximum Password Age [30]:
\n\tLast Password Change (YYYY-MM-DD) [2016-08-23]:
\n\tPassword Expiration Warning [7]:
\n\tPassword Inactive [-1]:
\n\tAccount Expiration Date (YYYY-MM-DD) [1969-12-31]:
\nPassword expiration information is stored in \/etc\/shadow file.<\/p>\n
# grep oracle \/etc\/shadow
\noracle:$6$H28sLVDL$iNvp\/AvbMeqqrslH2bfmTxJpE6.mO8UNzlIXGB3sp87jZP9dW1DxeoLf2QXR7hkLkomuXbtgO1zPKUEYRY8YI1:15284:14:30:7:::
\nAs shown above the oracle user has minimum password age of 14 and maximum password age of 30 \u2013 It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.<\/p>\n
chage options<\/p>\n
Number of options are available in chage command. To list aging information :<\/p>\n
# chage -l geek
\nLast password change\t\t\t\t\t: Sep 18, 2016
\nPassword expires\t\t\t\t\t: never
\nPassword inactive\t\t\t\t\t: never
\nAccount expires\t\t\t\t\t\t: never
\nMinimum number of days between password change\t\t: 0
\nMaximum number of days between password change\t\t: 99999
\nNumber of days of warning before password expires\t: 7
\nTo force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :<\/p>\n
# chage \u2013d 0 geek
\nauthconfig<\/p>\n
The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:<\/p>\n
# authconfig –test | grep hashing
\n password hashing algorithm is sha512
\nTo change the algorithm, use the \u2013passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the \u2013update option.<\/p>\n
# authconfig –passalgo=md5 –update
\n\/etc\/login.defs file<\/p>\n
\/etc\/login.defs file provides default user account settings. Default values include:<\/p>\n
Location of user mailboxes
\nPassword aging controls
\nValues for automatic UID selection
\nValues for automatic GID selection
\nUser home directory creation options
\numaskvalue
\nEncryption method used to encrypt passwords
\nSample \/etc\/login.defs file :<\/p>\n
# cat \/etc\/login.defs
\n…..
\nPASS_MAX_DAYS\t99999
\nPASS_MIN_DAYS\t0
\nPASS_MIN_LEN\t5
\nPASS_WARN_AGE\t7
\n……
\nGID_MIN 1000
\nGID_MAX 60000
\n…..
\nUID_MIN 1000
\nUID_MAX 60000<\/p>\n","protected":false},"excerpt":{"rendered":"
The file access control lists (FACLs) or simply ACLs are the list of additional user\/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.<\/p>\n
How to know when a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6710"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6710"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6710\/revisions"}],"predecessor-version":[{"id":6711,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6710\/revisions\/6711"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}