[olug] secure lamp configuration research

[Phil Brutsche]

Jordan Fox wrote:
> I'm not sure how this will play with Apache, but a lesser known fact is that
> you can actually implement full access controls lists on files and
> directories in Linux.  This would give the most granular control to a
> file/directory because you can give any group number of groups and users any
> type of access they require to a given file or directory.

Take note that you need more than just setfacl and getfacl for ACLs to work.

You need to make sure the kernel supports it - not all distributions
include ACL support in their kernel by default - you might find yourself
switching to custom kernel builds. If you're not using the distro's
kernel you need to make sure you're including ACL support.

You may (or may not) need to configure the file system for it - ext2 and
ext3 have it as a run-time option, while with others (JFS and XFS) it is
always on once compiled in.

"tune2fs -o user_xattr,acl <device>" is one way to activate it on ext2 &
ext3, putting "user_xattr,acl" in the mount options is another.

Also take note that setfacl and getfacl only give you additional sets of
POSIX permissions on a file or directory - if you need something more
fine-grained than basic read,write,execute you're running the wrong OS.

-- 

Phil Brutsche
phil at brutsche.us