12.12. Configuring POSIX System ACLs

POSIX system access control rules provide finer granularity over system user permissions. These ACLs must be set for each instance after it is fully configured.

12.12.1. Setting POSIX System ACLs for the CA, DRM, OCSP, TKS, and TPS

Steps 2 and 3 only need to be performed once per machine, but the rest of the procedure must be performed for every subsystem instance separately.
  1. Log into the system as root.
  2. Make sure that the acl package is installed on the system. 
    # rpm -q acl
acl-2.2.39-6.el5
  3. Four filesystem paths must be configured to use the acl package:
    • /
    • /etc (including /etc/init.d and /etc/sysconfig)
    • /usr (including /usr/bin and /usr/share)
    • /var (including /var/lock and /var/run)
    First, check to see where the filesystems are mounted and whether the acl option is used: 
    # mount
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sdb1 on /usr type ext2 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
    In this example, /, /etc, and /var are mounted on /dev/sda1, while /usr is mounted on /dev/sdb1.
    There are two ways to apply the acl option to the filesystems:
    • Using tune2fs: 
       # /sbin/tune2fs -o +acl /dev/sda1
# /sbin/tune2fs -o +acl /dev/sdb1
    • Editing the /etc/fstab file: 
      # vim /etc/fstab
LABEL=/           /             ext3    defaults,acl    1 1
LABEL=/usr        /usr          ext2    defaults,acl    1 2
tmpfs             /dev/shm      tmpfs   defaults        0 0
devpts            /dev/pts      devpts  gid=5,mode=620  0 0
sysfs             /sys          sysfs   defaults        0 0
proc              /proc         proc    defaults        0 0
LABEL=SWAP-sdb2   swap          swap    defaults        0 0
LABEL=SWAP-sda2   swap          swap    defaults        0 0
    Then, remount the filesystems. 
    # mount -o remount /
# mount -o remount /usr
    Confirm that the acl option has been applied to the filesystems: 
    # /sbin/dumpe2fs /dev/sda1 | grep acl
dumpe2fs 1.39 (29-May-2006)
Default mount options:    user_xattr acl

# /sbin/dumpe2fs /dev/sdb1 | grep acl
dumpe2fs 1.39 (29-May-2006)
Default mount options:    acl

# mount | grep acl
/dev/sda1 on / type ext3 (rw,acl)
/dev/sdb1 on /usr type ext2 (rw,acl)
  4. Stop the instance. 
    service instance_name stop
  5. Set the group readability to the pkiadmin group for the instance's directories and files. 
    # setfacl -R -L -m g:pkiadmin:r,d:g:pkiadmin:r /var/lib/instance_name
  6. Apply execute (x) ACL permissions on all directories: 
    # find -L /var/lib/instance_name -type d -exec setfacl -L -n -m g:pkiadmin:rx,d:g:pkiadmin:rx {} \;
  7. Remove group readability for the pkiadmin group from the instance's signedAudit/ directory and its associated files: 
    # setfacl -R -L -x g:pkiadmin,d:g:pkiadmin /var/lib/instance_name/logs/signedAudit
  8. Set group readability for the pkiaudit group for the instance's signedAudit/ directory and its associated files: 
    # setfacl -R -L -m g:pkiaudit:r,d:g:pkiaudit:r /var/lib/instance_name/logs/signedAudit
  9. Re-apply execute (x) ACL permissions on the signedAudit/ directory and all of its subdirectories: 
    # find -L /var/lib/instance_name/logs/signedAudit -type d -exec setfacl -L -n -m g:pkiaudit:rx,d:g:pkiaudit:rx {} \;
  10. Start the instance. 
    service instance_name start
  11. Confirm that the file access controls were properly applied by using the getfacl command to show the current ACL settings: 
    # getfacl /var/lib/instance_name /var/lib/instance_name/logs/signedAudit/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/instance_name
# owner: pkiuser
# group: pkiuser
user::rwx
group::rwx
group:pkiadmin:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:pkiadmin:r-x
default:mask::rwx
default:other::r-x

# file: var/lib/instance_name/logs/signedAudit
# owner: pkiuser
# group: pkiaudit
user::rwx
group::rwx
group:pkiaudit:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:pkiaudit:r-x
default:mask::rwx
default:other::---

12.12.2. Setting POSIX System ACLs for the RA

Steps 2 and 3 only need to be performed once per machine, but the rest of the procedure must be performed for every subsystem instance separately.
  1. Log into the system as root.
  2. Make sure that the acl package is installed on the system. 
    # rpm -q acl
acl-2.2.39-6.el5
  3. Four filesystem paths must be configured to use the acl package:
    • /
    • /etc (including /etc/init.d and /etc/sysconfig)
    • /usr (including /usr/bin and /usr/share)
    • /var (including /var/lock and /var/run)
    First, check to see where the filesystems are mounted and whether the acl option is used: 
    # mount
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sdb1 on /usr type ext2 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
    In this example, /, /etc, and /var are mounted on /dev/sda1, while /usr is mounted on /dev/sdb1.
    There are two ways to apply the acl option to the filesystems:
    • Using tune2fs: 
       # /sbin/tune2fs -o +acl /dev/sda1
# /sbin/tune2fs -o +acl /dev/sdb1
    • Editing the /etc/fstab file: 
      # vim /etc/fstab
LABEL=/           /             ext3    defaults,acl    1 1
LABEL=/usr        /usr          ext2    defaults,acl    1 2
tmpfs             /dev/shm      tmpfs   defaults        0 0
devpts            /dev/pts      devpts  gid=5,mode=620  0 0
sysfs             /sys          sysfs   defaults        0 0
proc              /proc         proc    defaults        0 0
LABEL=SWAP-sdb2   swap          swap    defaults        0 0
LABEL=SWAP-sda2   swap          swap    defaults        0 0
    Then, remount the filesystems. 
    # mount -o remount /
# mount -o remount /usr
    Confirm that the acl option has been applied to the filesystems: 
    # /sbin/dumpe2fs /dev/sda1 | grep acl
dumpe2fs 1.39 (29-May-2006)
Default mount options:    user_xattr acl

# /sbin/dumpe2fs /dev/sdb1 | grep acl
dumpe2fs 1.39 (29-May-2006)
Default mount options:    acl

# mount | grep acl
/dev/sda1 on / type ext3 (rw,acl)
/dev/sdb1 on /usr type ext2 (rw,acl)
  4. Stop the RA instance. 
    service pki-ra stop
  5. Set the group readability to the pkiadmin group for the instance's directories and files. 
    # setfacl -R -L -m g:pkiadmin:r,d:g:pkiadmin:r /var/lib/pki-ra
  6. Apply execute (x) ACL permissions on all directories: 
    # find -L /var/lib/pki-ra -type d -exec setfacl -L -n -m g:pkiadmin:rx,d:g:pkiadmin:rx {} \;
  7. Start the RA instance. 
    service pki-ra start
  8. Confirm that the file access controls were properly applied by using the getfacl command to show the current ACL settings: 
    # getfacl /var/lib/pki-ra
getfacl: Removing leading '/' from absolute path names
# file: var/lib/pki-ra
# owner: pkiuser
# group: pkiuser
user::rwx
group::rwx
group:pkiadmin:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:pkiadmin:r-x
default:mask::rwx
default:other::r-x