Create And Manage Access Control Lists Acls
General Information
Access Control Lists are additional permissions that allow advanced type of access beyond the standard “user, group, others” categories.
View ACLs
Show ACL permissions
getfacl file1 # file: file1 # owner: root # group: root user::rw- group::r-- other::r--
- The above is a new file created by root, with no extended ACL permissions set
- getfacl = get file access control lists
Setting ACLs
Set ACL for the user, yoda to give him write permissions
setfacl -m u:yoda:rw file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- group::r-- mask::rw- other::r--
- Now, the same file with extended ACL permissions for the user, yoda
- -m ⇒ modify
- u:yoda:rw ⇒ user yoda, read and write permissions
- mask = max level permissions for ACLs
Notice the “+” at the end of permissions in a file listing, indicating an ACL exists
ll total 4 -rw-rw-r--+ 1 root root 0 Jul 5 16:25 file1
Update the mask (max ACL permissions) to read
setfacl -m m::r file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- #effective:r-- group::r-- mask::r-- other::r--
- m::r ⇒ set mask for all to read permissions. This means that even though yoda has rw, the max anyone can have is read.
Set ACL for a group
setfacl -m g:jedi:rw file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- group::r-- group:jedi:rw- mask::rw- other::r--
- g:jedi:rw ⇒ group “jedi” with read and write permissions
Set default ACL for new files/directories created within dir1 for users
setfacl -m d:u::rw dir1
- Note: Default permissions does NOT give those permissions to dir1 itself
Remove default ACLs
setfacl --remove-default dir
- Remove all ACLs (including default): setfacl –remove-all dir
Remove a single user's ACL
setfacl -x u:yoda file1 OR setfacl --remove u:yoda file1
Copy ACL from file1 and apply it to file2
getfacl file1 | setfacl --set-file=- file2
- Notice the –set-file=-, the “-” means from standard input