linux_wiki:create_and_manage_access_control_lists_acls

Create And Manage Access Control Lists Acls

General Information

Access Control Lists are additional permissions that allow advanced type of access beyond the standard “user, group, others” categories.


Show ACL permissions

getfacl file1
 
# file: file1
# owner: root
# group: root
user::rw-
group::r--
other::r--
  • The above is a new file created by root, with no extended ACL permissions set
  • getfacl = get file access control lists

Set ACL for the user, yoda to give him write permissions

setfacl -m u:yoda:rw file1
 
getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:yoda:rw-
group::r--
mask::rw-
other::r--
  • Now, the same file with extended ACL permissions for the user, yoda
  • -m ⇒ modify
  • u:yoda:rw ⇒ user yoda, read and write permissions
  • mask = max level permissions for ACLs


Notice the “+” at the end of permissions in a file listing, indicating an ACL exists

ll
total 4
-rw-rw-r--+ 1 root root 0 Jul  5 16:25 file1


Update the mask (max ACL permissions) to read

setfacl -m m::r file1
 
getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:yoda:rw-			#effective:r--
group::r--
mask::r--
other::r--
  • m::r ⇒ set mask for all to read permissions. This means that even though yoda has rw, the max anyone can have is read.


Set ACL for a group

setfacl -m g:jedi:rw file1
 
getfacl file1 
# file: file1
# owner: root
# group: root
user::rw-
user:yoda:rw-
group::r--
group:jedi:rw-
mask::rw-
other::r--
  • g:jedi:rw ⇒ group “jedi” with read and write permissions


Set default ACL for new files/directories created within dir1 for users

setfacl -m d:u::rw dir1
  • Note: Default permissions does NOT give those permissions to dir1 itself


Remove default ACLs

setfacl --remove-default dir
  • Remove all ACLs (including default): setfacl –remove-all dir


Remove a single user's ACL

setfacl -x u:yoda file1
OR
setfacl --remove u:yoda file1


Copy ACL from file1 and apply it to file2

getfacl file1 | setfacl --set-file=- file2
  • Notice the –set-file=-, the “-” means from standard input

  • linux_wiki/create_and_manage_access_control_lists_acls.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)