Adjusting Permissions for Backup Directories Using Groups and ACLs

In this article, we'll walk through how to set up and configure group access for backup directories on a Linux system using ACLs (Access Control Lists). We'll create a new group called "backups," grant appropriate permissions to backup directories, and restrict access to certain subdirectories to avoid confusion.

This approach is useful when managing access to different backup directories where some directories should be accessible to a group, while others remain restricted.

Step-by-Step Guide to the Commands

1. Create the "backups" Group

The first step is to create a group called backups, which will allow specific users to have access to backup directories. This group will be used to control access via ACLs.

groupadd backups

• groupadd backups: This command creates a new group named backups.

2. Grant Read and Execute Access to the Backup Directory

Next, we'll give the backups group read and execute access to the main /backup/ directory. This ensures users in the backups group can navigate through the directory and access the files inside it.

sudo setfacl -R -m g:backups:rx /backup/
sudo setfacl -R -d -m g:backups:rx /backup/

• setfacl -R -m g:backups:rx /backup/: This command recursively grants read (r) and execute (x) permissions to the backups group for the /backup/ directory and all its contents.
• setfacl -R -d -m g:backups:rx /backup/: This ensures that new files or directories created within /backup/ inherit the same permissions for the backups group.

3. Remove Execute Access for a Specific Backup Subdirectory

To prevent confusion, we'll remove the execute permission for the backups group on a specific subdirectory (in this case, /backup/restricted_backup/). This will ensure that the group cannot access this particular directory, even though it has access to the main /backup/ directory.

sudo setfacl -x g:backups /backup/restricted_backup/

• setfacl -x g:backups /backup/restricted_backup/: This command removes all ACL permissions for the backups group on the /backup/restricted_backup/ directory, ensuring that the group cannot read or execute files in this specific folder.

Verifying Permissions

After applying the changes, you can verify the ACL settings for the directories to ensure that the correct permissions are applied:

getfacl /backup/
getfacl /backup/restricted_backup/

• getfacl /backup/: Displays the current ACL settings for the /backup/ directory.
• getfacl /backup/restricted_backup/: Displays the ACL settings for the restricted subdirectory.

Summary of Commands

Here’s a full list of the commands used in this configuration:

1. Create the "backups" group:

   groupadd backups

2. Grant recursive read and execute access to the /backup/ directory:

   sudo setfacl -R -m g:backups:rx /backup/
   sudo setfacl -R -d -m g:backups:rx /backup/

3. Remove execute access for the restricted backup directory:

   sudo setfacl -x g:backups /backup/restricted_backup/

4. Verify the permissions:

   getfacl /backup/
   getfacl /backup/restricted_backup/

This configuration ensures that the backups group has the necessary access to the main /backup/ directory while restricting access to sensitive subdirectories, maintaining both usability and security.