How Can I Configure ACLs (Access Control Lists) On A Linux System To Enforce A Mandatory Access Control Policy That Denies Write Access To A Specific Directory For Users In The Developers Group, While Still Allowing The Qa Group To Append Files To The Directory, But Only Through A Specific Samba Share, And Also Ensure That The Ownership Of The Files Is Preserved When They Are Copied Or Moved Within The Directory Hierarchy?

by ADMIN 427 views

To configure ACLs and enforce the specified access control policy, follow these organized steps:

Step-by-Step Configuration

  1. Create the Directory and Set Group Ownership:

    mkdir -p /shared_directory
chgrp shared /shared_directory

  2. Set the setgid Bit: This ensures new files inherit the group ownership.

    chmod g+s /shared_directory

  3. Configure ACLs:

    • Allow read and execute for everyone.
    • Deny write access for the developers group.
    • Allow write access for the qa group.
    setfacl -m u::r-x,g::r-x,o::r-x /shared_directory
setfacl -m g:developers:r-x /shared_directory
setfacl -m g:qa:rwx /shared_directory

  4. Ensure Append-Only Access for qa Group: Modify the ACL to allow append by setting the write flag without delete or other modifications.

    setfacl -m g:qa:rwx /shared_directory

  5. Configure Samba Share: Edit the Samba configuration file (typically /etc/samba/smb.conf) to enforce ACLs and group settings:

    [shared_directory]
path = /shared_directory
writable = yes
force group = qa

    Restart Samba services:

    systemctl restart nmbd smbd

  6. Preserve Ownership During File Operations: Use the -p flag with cp and mv to preserve ownership and permissions.

    cp -p file /shared_directory/
mv -p file /shared_directory/

  7. Verify ACLs and Access: Check the ACL settings and test access for both groups to ensure the policy is enforced correctly.

    getfacl /shared_directory

Conclusion

By following these steps, you enforce a mandatory access control policy where the developers group cannot write to the directory, the qa group can append files via a specific Samba share, and file ownership is preserved during operations. Regularly test and audit the configuration to ensure compliance and security.