Saturday, April 13, 2013

ACL : How to enable read permission for /var/log/messages for ordinary user in Linux?


By default, /var/log/messages file can be accessed only by super user(root). The ordinary user does not even have read permission for this file.

# ls -l /var/log/messages
-rw------- 1 root root 658711 Apr 14 05:52 /var/log/messages

So how to enable read permission for an ordinary user, say xyz, for the file /var/log/messages?

Access Control Lists(acl) comes to the aid by allowing us to provide different levels of access to files and directories.

How to enable acl for Linux filesystem?


1) Install command line tool, acl, first. This package has Access Control List utilities.
   # yum install acl

2) Mount the partition with acl option enabled. Edit /etc/fstab as follows

UUID=fffff7aa-57b8-40aa-baa4-588c4eff7651   /  ext4    defaults,acl        1 1

3) Reboot the system for mount options to take effect.

Enable read access for user xyz for the file /var/log/messages


1) setfacl - Sets file access control list.
    
    # setfacl -m u:xyz:r /var/log/messages

2) Check the new file permissions for /var/log/messages
    
     # ls -l /var/log/messages
    -rw-r-----+ 1 root root 658711 Apr 14 05:52 /var/log/messages

Observe that now a + is observed at the end of file permissions.

3) Verify the access permissions for the file /var/log/messages using getfacl command

     getfacl - Get file access control list

  # getfacl /var/log/messages
  getfacl: Removing leading '/' from absolute path names
  # file: var/log/messages
  # owner: root
  # group: root
  user::rw-
  user:xyz:r--
  group::---
  mask::r--
  other::---

1 comment:

  1. this works until a new file is generated. blame on logrotate.

    ReplyDelete