====== Create And Manage Access Control Lists Acls ======
**General Information**
Access Control Lists are additional permissions that allow advanced type of access beyond the standard "user, group, others" categories.
----
===== View ACLs =====
Show ACL permissions
getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
group::r--
other::r--
* The above is a new file created by root, with no extended ACL permissions set
* getfacl = get file access control lists
----
===== Setting ACLs =====
Set ACL for the user, yoda to give him write permissions
setfacl -m u:yoda:rw file1
getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:yoda:rw-
group::r--
mask::rw-
other::r--
* Now, the same file with extended ACL permissions for the user, yoda
* -m => modify
* u:yoda:rw => user yoda, read and write permissions
* mask = max level permissions for ACLs
\\
Notice the "+" at the end of permissions in a file listing, indicating an ACL exists
ll
total 4
-rw-rw-r--+ 1 root root 0 Jul 5 16:25 file1
\\
Update the mask (max ACL permissions) to read
setfacl -m m::r file1
getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:yoda:rw- #effective:r--
group::r--
mask::r--
other::r--
* m::r => set mask for all to read permissions. This means that even though yoda has rw, the max anyone can have is read.
\\
Set ACL for a group
setfacl -m g:jedi:rw file1
getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:yoda:rw-
group::r--
group:jedi:rw-
mask::rw-
other::r--
* g:jedi:rw => group "jedi" with read and write permissions
\\
Set default ACL for new files/directories created within dir1 for users
setfacl -m d:u::rw dir1
* Note: Default permissions does NOT give those permissions to dir1 itself
\\
Remove default ACLs
setfacl --remove-default dir
* Remove all ACLs (including default): setfacl --remove-all dir
\\
Remove a single user's ACL
setfacl -x u:yoda file1
OR
setfacl --remove u:yoda file1
\\
Copy ACL from file1 and apply it to file2
getfacl file1 | setfacl --set-file=- file2
* Notice the --set-file=-, the "-" means from standard input
----