1
00:00:00,000 --> 00:00:10,080
In this video you will learn about access control lists.

2
00:00:10,080 --> 00:00:15,060
Access control lists are something that allows administrators to grant permissions to more

3
00:00:15,060 --> 00:00:17,920
than one user and or more than one group.

4
00:00:17,920 --> 00:00:22,360
It's really an extension to the basic permissions read, write and execute as you've learned

5
00:00:22,360 --> 00:00:23,360
about earlier.

6
00:00:23,360 --> 00:00:27,240
They are supported by all modern file systems as a default.

7
00:00:27,240 --> 00:00:32,680
To work with access control lists, you can use the getfacl command to find out if any

8
00:00:32,680 --> 00:00:39,200
current access control lists apply and setfacl to manage access control lists.

9
00:00:39,200 --> 00:00:41,279
Now what are the use cases?

10
00:00:41,279 --> 00:00:44,480
Access control lists may be used in different situations.

11
00:00:44,480 --> 00:00:48,959
For example, in a shared user environment where one user or group needs full access

12
00:00:48,959 --> 00:00:54,279
to files and other users or groups need read-only access.

13
00:00:54,279 --> 00:00:58,720
That is a situation that you cannot do with basic permissions because basic permissions,

14
00:00:58,720 --> 00:01:02,880
as you remember, you have one group owner only.

15
00:01:02,880 --> 00:01:07,320
Also you can use them in a developer environment where the developer may require access to

16
00:01:07,320 --> 00:01:11,559
a server document root where you still want to make sure that the server document root

17
00:01:11,559 --> 00:01:15,919
is owned by the appropriate process.

18
00:01:15,919 --> 00:01:18,000
Let's check out how to manage them.

19
00:01:18,000 --> 00:01:25,320
To see current ACLs, you use getfacl and to manage them, you use setfacl.

20
00:01:25,320 --> 00:01:30,320
There is a regular ACL which will take care of all currently existing files and the default

21
00:01:30,320 --> 00:01:34,040
ACL will take care of all new files.

22
00:01:34,040 --> 00:01:37,800
And you should use ACLs as an infrastructure solution.

23
00:01:37,800 --> 00:01:44,000
They should be configured on directories before you start to work with files in these directories.

24
00:01:44,000 --> 00:01:46,680
Let me show you how you can use them.

25
00:01:46,680 --> 00:01:52,760
So in order to do this demo, I need a group, let me create it, name of the group is account

26
00:01:52,760 --> 00:01:54,879
and I need a directory structure.

27
00:01:54,879 --> 00:02:01,760
So let me use mkdir-p to create the entire path for slash data slash sales.

28
00:02:01,760 --> 00:02:09,600
Then first I'm going to use setfacl-r, uppercase R makes it recursive and minus M is for modify

29
00:02:09,600 --> 00:02:17,520
followed by G colon account colon R uppercase X on data sales.

30
00:02:17,520 --> 00:02:26,039
So this will modify the access control listing for data sales to add the group account as

31
00:02:26,039 --> 00:02:27,320
a group owner.

32
00:02:27,320 --> 00:02:32,479
And we have lowercase R uppercase X, uppercase X makes sure that the recursive ACL is not

33
00:02:32,479 --> 00:02:36,639
going to make files but only directories executable.

34
00:02:36,639 --> 00:02:39,240
And that is exactly what we want.

35
00:02:39,240 --> 00:02:43,080
Now this is taking care of existing files, if any.

36
00:02:43,080 --> 00:02:47,520
You also want to take care of anything that will be created from that moment on.

37
00:02:47,520 --> 00:02:49,639
And that is the default ACL.

38
00:02:49,639 --> 00:02:59,720
So again, setfacl-m for modify followed by D colon G colon account colon RX.

39
00:02:59,720 --> 00:03:04,360
Default ACLs apply to directories only, so you don't need an uppercase X here.

40
00:03:04,360 --> 00:03:09,800
And in order to make it a default ACL, you just put a D in front of the string.

41
00:03:09,800 --> 00:03:16,000
And then data sales, which is a directory structure to which you want to set it.

42
00:03:16,000 --> 00:03:24,399
Now we can check when I use getfacl on slash data slash sales, we can see the ACL setting.

43
00:03:24,399 --> 00:03:29,479
So let's start on the bottom where we see the default ACL setting set to the user and

44
00:03:29,479 --> 00:03:33,240
the group, which are the ordinary user and group owners.

45
00:03:33,240 --> 00:03:37,839
And the group account, which has been added with the read and execute permission.

46
00:03:37,839 --> 00:03:44,800
And as a result of this default ACL, what is going to happen if in data sales I create

47
00:03:44,800 --> 00:03:45,800
a file?

48
00:03:45,800 --> 00:03:50,919
Well, let's use getfacl on file one.

49
00:03:50,919 --> 00:03:56,399
And there we can see that the group account also has a read permission on the file.

50
00:03:56,399 --> 00:03:58,539
That's the purpose of the default ACL.

51
00:03:58,539 --> 00:04:02,919
You want these permissions to be granted to all files and directories that are created

52
00:04:03,600 --> 00:04:04,600
at this level.

53
00:04:04,600 --> 00:04:09,320
Now you can also setfacl minus XG colon account.

54
00:04:09,320 --> 00:04:10,839
And what is that going to do?

55
00:04:10,839 --> 00:04:16,600
Well, unfortunately, for members of the group account, that is going to remove the ACL setting.

56
00:04:16,600 --> 00:04:23,480
So getfacl on data sales is showing that the ACL has been removed, but not the default

57
00:04:23,480 --> 00:04:24,480
ACL.

58
00:04:24,480 --> 00:04:28,160
And can you imagine what to do to remove the default ACL as well?

59
00:04:28,160 --> 00:04:31,720
Well, that should be D colon G colon account.

60
00:04:31,720 --> 00:04:34,519
And that is how you can work with access control lists.