Question

1. Leonard, Sheldon, Howard, Rajesh, Penny, Bernadette, and Amy belong to the same group of users Friends. Leonard is the owner of the file Secrets.

(a) Explain what would be the access to the file Secrets as a result of the following ACL:

Friends Allow Read

Penny Deny Read

Sheldon Deny Read

Bernadette Deny Read

Amy Deny Read

Write another access control list that will have the same effect.

(b) Leonard wants to allow

- Read access to Howard, Rajesh, Bernadette, and Amy

- Read and Write access to Penny

- No access to Sheldon.

Write the simplest ACL for Windows OS.

3. Write the ACL for the scenario under (b) for Linux using the setfacl command. Can that ACL be achieved using chmod? Explain why?

Answer 1

• ACLs are a common form of a list of permissions that define user access privileges on a computer. ACLs i.e., Access Control Lists determine which users or software objects are granted or denied access to a particular file or service on a computer or a computer network.
• These access control lists are defined by simple read or write commands, pertaining to the user, to whom the access or deniability of services is provided.
• A completely new set of ACLs maybe defined for a system, or an existing set of ACLs can be modified to suit the new accessibility criteria.

1(a). The following operations happen when an ACL is defined as provided in the question.

• Friends Allow Read - Leonard, Sheldon, Howard, Rajesh, Penny, Bernadette, and Amy are granted access to

read the file, 'Secrets'.

• Penny Deny Read - Penny has been denied the permission to read the file, 'Secrets'.

• Sheldon Deny Read - Sheldon has been denied the permission to read the file, 'Secrets'.

• Bernadette Deny Read - Bernadette has been denied the permission to read the file, 'Secrets'.
• Amy Deny Read - Amy has been denied the permission to read the file, 'Secrets'.

1(b). Consider that <filepath> is the path in which the file is stored on the Computer for which the permissions are being modified. In the question, provided, the file considered is 'Secret'. The following commands show ACL permissions that the file owner, Leonard, wants to grant to various users :

• Read access to Howard, Rajesh, Bernadette, and Amy :

acl { ' <filepath> ':

permissions => [

{ identity => 'Leonard', rights => ['full'], type=> 'allow' },

{ identity => 'Howard', rights => ['read'], type=> 'allow' },

{ identity => 'Rajesh', rights => ['read'], type=> 'allow' },

{ identity => 'Bernadette', rights => ['read'], type=> 'allow' },

{ identity => 'Amy', rights => ['read'], type=> 'allow' }

],

owner => 'Leonard',

}

• Read and Write access to Penny :

acl { ' <filepath> ':

permissions => [

{ identity => 'Leonard', rights => ['full'], type=> 'allow' },

{ identity => 'Penny', rights => ['read', 'write'], type=> 'allow' }

],

owner => 'Leonard',

}

• No access to Sheldon :

acl { ' <filepath> ':

permissions => [

{ identity => 'Leonard', rights => ['full'], type=> 'allow' },

{ identity => 'Sheldon', rights => ['full'], type=> 'deny' }

],

owner => 'Leonard',

}

1(c). For example, consider that we need to provide read and write permissions to a user, Sheldon for the file, 'Secrets'.

'setfacl' command is used when we need to grant or restrict a file by setting a few access control command lines. For the considered example, the syntax for ACL using setfacl command looks like :

• setfacl -s user : Leonard : rw-, user : Sheldon : rw- Secrets

In the above syntax, '-s' is used to replace any existing ACL on the file with the new ACL we provide. '-m' can replace '-s' command if we just wish to modify an existing ACL, instead of defining a new one. The above syntax, on executing sets the user Sheldon to gain read and write access to the file, Secrets, for which Leonard is the owner who also has read and write permissions.

'getfacl' command is used when we need to verify the access / restrictions that are already existing on a file. For the considered example, the syntax for ACL using getfacl command looks like :

• getfacl Secrets

The above syntax, on executing fetches the ACL which is set on the file, Secrets.

'chmod' command is also used to modify the permissions in order to grant access or restrict a user from accessing a file. For the considered example, the syntax for ACL using chmod command looks like :

• chmod Sheldon = rw, Secrets

We can also denote the permissions using numbers, like, 0 (no permissions), 1 (execute permission only), 2 (write permission only) and 4 (read permission only). The various combinations of the numbers provide us with commands to modify the ACL. The chmod command defined above can also be written as :

• chmod Sheldon = 42, Secrets