Richacls

Richacls is a Linux implementation of the NFSv4 ACLs which has been extended by file masks to more easily fit the standard POSIX file permission model.[1] Nowadays, they offer the most complex permission model for ext4 file system in Linux operating system. They are even more complex than POSIX ACLs, which means it is not possible to convert back from Richacls to POSIX ACLs without losing information. One of the most important advantages is that they distinguish between write and append permission, between delete and delete child permissions, and make ACL management access discretionary (as opposed to only being only root and the file owner). They are also designed to support Windows interoperability.[2]

Richacls use ext4 extended file attributes (xattrs) to store ACLs. Entries in ACL are called ACE (Access Control List Entry).

Support in the Linux kernel

There is still no support for Richacls in recent version of official Linux kernel (vanilla sources). Thus in order to get richacl work it is necessary to do one of the following:

To verify whether your system has compatibility for Richacls, in most cases you can simply type the following command to system console:

$ grep RICHACL /boot/config-`uname -r` # The output should be such:
CONFIG_EXT4_FS_RICHACL=y
CONFIG_FS_RICHACL=y

Enabling Richacls

Once you have running Richacls support on your system, you can enable them up on certain file system. Following example shows how to enable Richacls on root filesystem.

$ mount -o remount,richacl /

The verification can be done in such way:

$ mount | grep " / "

and the output should show Richacls enabled:

/dev/sda1 on / type ext4 (rw,richacl)

Richacls can be also enabled permanently by adding richacl parameter to certain mount entry in /etc/fstab.

Manipulating with ACLs

Richacl manipulation tools

For manipulation with Richacl entries there is utility called richacl, which is also available at project homepage. This tool can perform several basic operations for specific file or directory such as:

Format of Richacl ACEs

Format of each ACL entry (ACE) corresponds to <who>:<permission mask>:<flags>:<type>.

Where values of <who> can be:

Values with @ symbol are used to defining permissions for owner, owning group and others.

To define value of <permission mask>, there are 16 permission bits (according to NFSv4 resp. NFSv4.1 specification) but five of them are not implemented. The meaning of each bit is described in the following table.

Bit name Short symbol Description
READ_DATA r Read data from a file
WRITE_DATA w Write data to a file
APPEND_DATA a Write to a file in O_APPEND mode
LIST_DIRECTORY r Read the contents of a directory
ADD_FILE a Create a file object in a directory
ADD_SUBDIRECTORY a Create a directory in a directory
DELETE_CHILD d Delete a file or subdirectory from a directory
EXECUTE x Execute File, Traverse a directory
DELETE D Delete the file itself, without DELETE_CHILD on the parent
READ_ATTRIBUTES T Read the stat() information for an object

Always allowed

WRITE_ATTRIBUTES t Set the atime/mtime on an object
READ_ACL M Read the ACL of an object

Always allowed

WRITE_ACL m Set the ACL and POSIX mode of an object
WRITE_OWNER o Take ownership of an object.

Set owning group of an object to one of our gid

SYNCHRONIZE Stored but not interpreted
READ_NAMED_ATTRS
WRITE_NAMED_ATTRS
WRITE_RETENTION
WRITE_RETENTION_HOLE

The value of <flags> can consist of following:

Flag name Flag symbol Description
FILE_INHERIT_ACE f New files will inherit this ACE
DIRECTORY_INHERIT_ACE d New directories will inherit this ACE
NO_PROPAGATE_INHERIT_ACE n
INHERIT_ONLY_ACE i
IDENTIFIER_GROUP g Given <who> ID is group
INHERITED_ACE a

Value of <type> are ALLOW or DENY. NFSv4 specification uses also AUDIT and ALARM ACE type, but these are accepted and stored, but not implemented in Richacls.

DENY ACE type has higher priority.

Sample usage

$ richacl --get /srv/files/exchange
/srv/files/exchange:
        owner@:rwa-dtD------:fd:allow
        owner@:---x---------:d:allow
    powerusers:rwa----------:fdg:allow
    powerusers:---x---------:dg:allow
 storageadmins:rwa-dtDmo----:fdg:allow
 storageadmins:---x---------:dg:allow

Example above defines such permission policy, that each user in group powerusers can read, write and append files in /srv/files/exchange/ and subdirectories.

Moreover, users in powerusers group can delete their own files and directories (and their content).

Except this, users of group storageadmins can manipulate with data arbitrarily. They can also modify ACLs.

Other users have no access to given directory at all.

This permission model is unrealizable by using POSIX ACLs, even with sticky bit, because of necessary inheritance.

References

  1. "Richacls - Native NFSv4 ACLs on Linux".
  2. "Implementing an Advanced Access Control Security Model on Linux" (PDF).
  3. Richacls removed in OpenSUSE 13.1 citing that they were not functioning.
This article is issued from Wikipedia - version of the 11/28/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.