What is an Access Control List?
Access Control Lists “ACLs” are network traffic filters that can control incoming or outgoing traffic.
ACLs work on a set of rules that define how to forward or block a packet at the router’s interface.
An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination.
When you define an ACL on a routing device for a specific interface, all the traffic flowing through will be compared with the ACL statement which will either block it or allow it.
The criteria for defining the ACL rules could be the source, the destination, a specific protocol, or more information.
ACLs are common in routers or firewalls, but they can also configure them in any device that runs in the network, from hosts, network devices, servers, etc.
Access Control List
Access Control List [ACL] refers to a specific set of rules used for filtering network traffic, especially in computer security settings. ACLs also allow specific system objects such as directories or file access to authorized users and denies access to unauthorized users.
ACLs are mainly found in network devices with packet filtering capabilities including routers and switches.
Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter5.Access Control Lists
Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists [ACLs] were implemented.
The Red Hat Enterprise Linux kernel provides ACL support for the ext3 file system and NFS-exported file systems. ACLs are also recognized on ext3 file systems accessed via Samba.
Along with support in the kernel, the acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
The cp and mv commands copy or move any ACLs associated with files and directories.
5.1.Mounting File Systems
Before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext3 file system, it can mounted with the following command:
mount -t ext3 -o acl device-name partition
For example:
mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work
Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2If an ext3 file system is accessed via Samba and ACLs have been enabled for it, the ACLs are recognized because Samba has been compiled with the --with-acl-support option. No special flags are required when accessing or mounting a Samba share.
5.1.1.NFS
By default, if the file system being exported by an NFS server supports ACLs and the NFS client can read ACLs, ACLs are utilized by the client system.
To disable ACLs on NFS shares when configuring the server, include the no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.
5.2.Setting Access ACLs
There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.
ACLs can be configured:
- Per user
- Per group
- Via the effective rights mask
- For users not in the user group for the file
The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
# setfacl -m rules filesRules [rules] must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u:uid:permsSets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.g:gid:permsSets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.m:permsSets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.o:permsSets the access ACL for users other than the ones in the group for the file.
Permissions [perms] must be a combination of the characters r, w, and x for read, write, and execute.
If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
Example5.1.Give read and write permissions
For example, to give read and write permissions to user andrius:
# setfacl -m u:andrius:rw /project/somefileTo remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:
# setfacl -x rules filesExample5.2.Remove all permissions
For example, to remove all permissions from the user with UID 500:
# setfacl -x u:500 /project/somefile5.3.Setting Default ACLs
To set a default ACL, add d: before the rule and specify a directory instead of a file name.
Example5.3.Setting default ACLs
For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group [an access ACL for an individual file can override it]:
# setfacl -m d:o:rx /share5.4.Retrieving ACLs
To determine the existing ACLs for a file or directory, use the getfacl command. In the example below, the getfacl is used to determine the existing ACLs for a file.
Example5.4.Retrieving ACLs
# getfacl home/john/picture.png
The above command returns the following output:
# file: home/john/picture.png # owner: john # group: john user::rw- group::r-- other::r--If a directory with a default ACL is specified, the default ACL is also displayed as illustrated below. For example, getfacl home/sales/ will display similar output:
# file: home/sales/ # owner: john # group: john user::rw- user:barryg:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:john:rwx default:group::r-x default:mask::rwx default:other::r-x5.5.Archiving File Systems With ACLs
By default, the dump command now preserves ACLs during a backup operation. When archiving a file or file system with tar, use the --acls option to preserve ACLs. Similarly, when using cp to copy files with ACLs, include the --preserve=mode option to ensure that ACLs are copied across too. In addition, the -a option [equivalent to -dR --preserve=all] of cp also preserves ACLs during a backup along with other information such as timestamps, SELinux contexts, and the like. For more information about dump, tar, or cp, refer to their respective man pages.
The star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Table5.1, “Command Line Options for star” for a listing of more commonly used options. For all available options, refer to man star. The star package is required to use this utility.
Table5.1.Command Line Options for star
-c | Creates an archive file. |
-n | Do not extract the files; use in conjunction with -x to show what extracting the files does. |
-r | Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name. |
-t | Displays the contents of the archive file. |
-u | Updates the archive file. The files are written to the end of the archive if they do not exist in the archive, or if the files are newer than the files of the same name in the archive. This option only works if the archive is a file or an unblocked tape that may backspace. |
-x | Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted. |
-help | Displays the most important options. |
-xhelp | Displays the least important options. |
-/ | Do not strip leading slashes from file names when extracting the files from an archive. By default, they are stripped when files are extracted. |
-acl | When creating or extracting, archives or restores any ACLs associated with the files and directories. |
5.6.Compatibility with Older Systems
If an ACL has been set on any file on a given file system, that file system has the ext_attr attribute. This attribute can be seen using the following command:
# tune2fs -l filesystem-deviceA file system that has acquired the ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
Versions of the e2fsck utility included in version 1.22 and higher of the e2fsprogs package [including the versions in Red Hat Enterprise Linux 2.1 and 4] can check a file system with the ext_attr attribute. Older versions refuse to check it.
5.7.ACL References
Refer to the following man pages for more information.
- man acl — Description of ACLs
- man getfacl — Discusses how to get file access control lists
- man setfacl — Explains how to set file access control lists
- man star — Explains more about the star utility and its many options
- Chapter4.Managing Users and Groups
- Chapter6.Gaining Privileges
Network Security Management
Eric Knipp, ... Edgar DanielyanTechnical Editor, in Managing Cisco Network Security [Second Edition], 2002
ACL Manager Overview
ACLM is a component within the network management software system known as CiscoWorks2000. CiscoWorks2000 is a highly extensible application suite ideally suited for managing Cisco enterprise networks and devices. For convenience and appropriate application, CiscoWorks2000 has numerous sub-components that integrate under the CiscoWorks2000 software framework. Theses components provide management solutions for local area networks [LAN] and wide area networks [WAN] of the enterprise.
ACLM is included in the CiscoWorks2000 Routed WAN Management Solution set. In addition to ACLM, this set of applications includes the following components:
■Cisco nGenius Real-Time Monitor
■CiscoView
■Resource Manager Essentials
■Internetwork Performance Monitor
With these tools, administrators greatly increase configuration, administration, monitoring, and troubleshooting capabilities in large-scale network deployments. Furthermore, long-term performance insight and network traffic optimization are possible with the CiscoWorks2000 Routed WAN Management Solution. For additional information regarding the CiscoWorks2000 suite of productions and functionality, refer to the Cisco Web site.
As the name implies, ACLM is used to develop and maintain ACLs on Cisco devices. ACLM runs as an integrated component of Resource Manager Essentials and can manage most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst IOS version 5.3 through 5.5.
The Web-based Windows Explorer-like graphical interface provides powerful control of IP and IPX access lists and device access control from virtually any-where on the network. VLAN and SNMP access control list management is also possible via ACLM. The interface eliminates the complexity and syntactical accuracy required to implement lengthy ACLs via the CLI. Furthermore, ACLM saves time and resources through batch configuration of new filters and the consistent and accurate management of existing access lists in a large-scale network.
ACLM includes several modules used to perform specific actions within the manager functionality suite. These modules are as follows:
■Template Manager The Template Manager module is used to construct and maintain ACL templates for the predictable and error-free security management of numerous Cisco devices. Using template manager, administrators can create appropriate templates for many devices instead of reinventing the wheel for each new network component.
■Class Manager This module enables the creation of service and network groups or classes. With this module, administrators can save time by designating typical groupings of rules to be quickly implemented via ACLM.
■Template Use Wizard Administrators use the Template Use Wizard to apply previously created packet and VLAN filtering ACLs, and line and SNMP ACLs across the network. In conjunction with Template Manager, the wizard module allows administrators to be more efficient when deploying or modifying numerous ACL configurations to devices on the network.
■Optimizer For additional ACL efficiency of a Cisco device, the Optimizer module can be used to inspect ACL statement ordering and syntax. Optimizer removes redundant statements and consolidates entries. Moreover, the optimizer module can automatically reorder ACL statements against hit rate utilization statistics to provide the utmost in efficiency.
■DiffViewer DiffViewer assists the administrator in discerning changes to ACLs of different versions. Using this module, alteration is easily identifiable making version control and version rollback simple.
■ACL Downloader This modules enables the scheduled or manual download of ACLs from Cisco devices in the network.
ACL Manager Device and Software Support
ACLM version 1.3 supports most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst OS version 5.3 through 5.5. Using ACLM, administrators can view all ACLs, regardless of type. ACLM includes full support for the following access lists:
■IP, IP_EXTENDED
■IPX, IPX_EXTENDED
■IPX_SAP, IPX_SUMMARY
■RATE_LIMIT_MAC
■RATE_LIMIT_PRECEDENCE
■VACL_Catalyst 6000
View chapterPurchase book
Read full chapter
URL://www.sciencedirect.com/science/article/pii/B9781931836562500180