Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Create And Manage Access Control Lists Acls ====== **General Information** Access Control Lists are additional permissions that allow advanced type of access beyond the standard "user, group, others" categories. ---- ===== View ACLs ===== Show ACL permissions <code bash> getfacl file1 # file: file1 # owner: root # group: root user::rw- group::r-- other::r-- </code> * The above is a new file created by root, with no extended ACL permissions set * getfacl = get file access control lists ---- ===== Setting ACLs ===== Set ACL for the user, yoda to give him write permissions <code bash> setfacl -m u:yoda:rw file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- group::r-- mask::rw- other::r-- </code> * Now, the same file with extended ACL permissions for the user, yoda * -m => modify * u:yoda:rw => user yoda, read and write permissions * mask = max level permissions for ACLs \\ Notice the "+" at the end of permissions in a file listing, indicating an ACL exists <code bash> ll total 4 -rw-rw-r--+ 1 root root 0 Jul 5 16:25 file1 </code> \\ Update the mask (max ACL permissions) to read <code bash> setfacl -m m::r file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- #effective:r-- group::r-- mask::r-- other::r-- </code> * m::r => set mask for all to read permissions. This means that even though yoda has rw, the max anyone can have is read. \\ Set ACL for a group <code bash> setfacl -m g:jedi:rw file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- group::r-- group:jedi:rw- mask::rw- other::r-- </code> * g:jedi:rw => group "jedi" with read and write permissions \\ Set default ACL for new files/directories created within dir1 for users <code bash> setfacl -m d:u::rw dir1 </code> * Note: Default permissions does NOT give those permissions to dir1 itself \\ Remove default ACLs <code bash> setfacl --remove-default dir </code> * Remove all ACLs (including default): setfacl --remove-all dir \\ Remove a single user's ACL <code bash> setfacl -x u:yoda file1 OR setfacl --remove u:yoda file1 </code> \\ Copy ACL from file1 and apply it to file2 <code bash> getfacl file1 | setfacl --set-file=- file2 </code> * Notice the --set-file=-, the "-" means from standard input ---- linux_wiki/create_and_manage_access_control_lists_acls.txt Last modified: 2019/05/25 23:50(external edit)