Configuring Centos ACL for group access


I have a group of developers whom I want to limit access to all folders except for their home directory and a few shared folders.

For example, I want them to:

1) have read, write permissions to their own home directories and sub-directories,
2) can't go to root directory which contains /etc, etc.
3) can go to other directories but can't write or execute except /drid/shared/doc, /drid/shared/software, and /drid/shared/apps.
4) they can run wget and mysql.

Who is Participating?
farzanjConnect With a Mentor Commented:
If a folder's execute permission is not granted, no sub folder is accessible.  It can be accessible when read and/or write permissions are not granted.  So if you want to restrict the entire directory tree, all you need to do is to restrict the parents execute permission.  However, if you want to do that, make sure there is no binary that you want any user to access.  Suppose, for example you restrict /bin folder, so now no one will have access to /bin/bash.  So, the will not even access their shells and they will see all kind of strange error messages.  One has to be extremely careful in doing so.  This is one of the biggest reasons why people cannot configure it right and keep it very open and then hackers get access too.
Make a devel group
groupadd devel

Put them into devel group
usermod -g devel first

setfacl -m g:devel:-  /etc/

3)  Should be the default
chgrp devel /drid/shared/{doc,software,apps}
chmod 770 /drid/shared/{doc,software,apps}

Having wget is default.

1) Should be default

2)  Keeping them from going to / entirely would have serious side effects.  Or at least you should know which folders in / they should have at least read and execute permissions so that they can at least continue their development work
I took all privileges of going to /etc which again may have unwanted side effects
setfacl -m g:devel:-  /etc/
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Ok you can also put this ACL which is easy to reverse

setfacl -m g:devel:x /

Some of the restriction you said are kind of unrealistic.

I have given command to keep them from going to / (root) directory completely but they can still go to its child directories.  You have to make this decision yourself, which are the paths where you can to keep them out for the entire subdirectory tree

You would need

setfacl -R -m g:devel:x <tree>

Be very careful as this may have unwanted side effects.
Please clarify a little bit more.  Also, I think you should make a list of directory trees where the users should not have access at all.
wsyyAuthor Commented:
hi farzanj,

I saw something like putting ACL constraints in a file, and then somehow execute the file. Do you know how to?

I think that is easier.

Yes, you can put these commands in a file and make it executable and run the file.

File would be similar to this one

setfacl -m g:devel:-  /etc/

Open in new window

save as
chmod +x

But regardless of all this, you need to decide what folders you want to restrict and how much.  This is critical decision as if you don't do it right, you would over restrict, breaking applications and hurting your operations.  This is why, I am emphasizing to plan and see what you need.
wsyyAuthor Commented:
You mentioned that some can still access to a sub-folder while its parent folder is restricted. Do we have a way to restrict a folder and its subsidiary folders?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.