Securing Linux Storage with ACLs: An Open-Source Web Management Interface for Enhanced Data Protection.
A robust web-based management interface for Linux Access Control Lists (ACLs), designed to enhance data protection and simplify ACL administration. This project provides a modern, user-friendly solution for managing file system permissions in Linux environments.
Institutional departments, such as the Biomedical Informatics (BMI) Department of Emory University School of Medicine, manage vast amounts of data, often reaching petabyte scales across multiple Linux-based storage servers. Researchers storing data in these systems need a streamlined way to modify ACLs to grant or revoke access for collaborators. Currently, the IT team at BMI is responsible for manually handling these ACL modifications, which is time-consuming, error-prone, and inefficient, especially as data volume and user demands grow. To address this challenge at BMI and similar institutions worldwide, a Web Management Interface is needed to allow users to modify ACLs securely. This solution would eliminate the burden on IT teams by enabling on-demand permission management while ensuring security and reliability. The proposed system will feature a robust and highly configurable backend, high-speed databases, orchestration daemons for file storage servers, and an intuitive frontend. The proposal includes an in-depth analysis of required components, high-level and low-level design considerations, technology selection, and the demonstration of a functional prototype as proof of concept. The goal is to deliver a production-ready, secure, scalable, and reliable system for managing ACLs across multiple servers hosting filesystems such as NFS, BeeGFS, and others. This solution will streamline access control management and prepare it for deployment at BMI and other institutions worldwide, significantly reducing the manual workload for IT teams.
- Intuitive web interface for ACL management
- High-performance backend written in Go
- Real-time ACL updates
- Comprehensive ACL reporting and visualization
- Integration with OpenLDAP for authentication
main: Production-ready codedevelopment-v<version>: Development branches for specific versions
The ACL API Daemom, a service called aclapi handles the gRPC connections with the backend component.
It performs 2 jobs:
- Communicate with
aclcoredaemon about demanded ACL operations - Handler gRPC connections from backed component
It is provided with the least user privileges since it's exposed to the network.
Hence, this is not an independent component and needs aclcore to be running on the same server with proper setup.
Refer to the documentation for more information.
For production build, it is recommended to use the Makefile. This allows you to build the complete binary on locally for security purposes. Since the project is in development mode, complete local build is not possible since dependencies are managed via GitHub and external vendors. Tarball based complete local builds will be developed in later stages.
Manual build provides more indepth look into how components are deployed and working. For automated deployment, use install.sh script.
-
Clone the repository:
git clone https://github.com/PythonHacker24/linux-acl-management-aclapi.git cd linux-acl-management-aclapi -
Use make:
make build
-
Move the binary to /usr/local/bin
sudo cp ./bin/aclapi /usr/local/bin/
-
Move configuration file to /etc/laclm
sudo cp aclapi.yaml /etc/laclm/aclapi.yaml
-
Ensure you have a group called
laclm. It should be followed in steps aclcore daemon installation. -
Create a user called
aclapiwith no home, least privileges, and added intolaclmgroup.sudo useradd --system --no-create-home --shell /usr/sbin/nologin --groups laclm aclapi
-
Create service for ACL API Daemon
a. Create the systemd service file
touch /etc/systemd/system/aclapi.service
b. Copy this into aclapi.service
[Unit] Description=ACL API Daemon After=network.target Requires=aclcore.service [Service] Type=simple ExecStart=/usr/local/bin/aclapi --config /etc/laclm/aclapi.yaml User=aclapi Group=laclm NoNewPrivileges=yes ProtectSystem=strict ProtectHome=yes PrivateTmp=yes Restart=on-failure [Install] WantedBy=multi-user.target
-
Reload SystemD daemons
sudo systemctl daemon-reload
-
Enable aclapi service (optional: daemon will auto start when system is restarted)
sudo systemctl enable aclapi.service -
Start aclapi service
sudo systemctl start aclapi.service
-
Check aclapi status
sudo systemctl status aclapi.service
.
├── cmd/ # Application entry points
├── internal/ # Private application code
├── pkg/ # Public library code
├── api/ # API definitions and handlers
├── docs/ # Documentation
└── deployments/ # Deployment configurations
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please read CONTRIBUTING.md for details on our code of conduct and development process.
This project is developed as part of Google Summer of Code 2025, in collaboration with the Department of Biomedical Informatics at Emory University.
- Contributor: Aditya Patil
- Mentors:
- Robert Tweedy
- Mahmoud Zeydabadinezhad, PhD
- Backend: Golang, net/http
- API: gRPC, REST
- Infrastructure:
- Packaging: Tarball
This project is licensed under the MIT License - see the LICENSE file for details.
- Department of Biomedical Informatics, Emory University
- Google Summer of Code Program
- Open Source Community