This is an old revision of the document!
Create And Manage Access Control Lists Acls
General Information
About this page/how-to/script.
Show ACL permissions
getfacl file1 # file: file1 # owner: root # group: root user::rw- group::r-- other::r--
- The above is a new file created by root, with no extended ACL permissions set
- getfacl = get file access control lists
Set ACL for the user, yoda to give him write permissions
setfacl -m u:yoda:rw file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- group::r-- mask::rw- other::r--
- Now, the same file with extended ACL permissions for the user, yoda
- -m ⇒ modify
- u:yoda:rw ⇒ user yoda, read and write permissions
- mask = max level permissions for ACLs
Notice the “+” at the end of permissions in a file listing, indicating an ACL exists
ll total 4 -rw-rw-r--+ 1 root root 0 Jul 5 16:25 file1
Update the mask (max ACL permissions) to read
setfacl -m m::r file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- #effective:r-- group::r-- mask::r-- other::r--
- m::r ⇒ set mask for all to read permissions. This means that even though yoda has rw, the max anyone can have is read.
Set ACL for a group
setfacl -m g:jedi:rw file1 getfacl file1 # file: file1 # owner: root # group: root user::rw- user:yoda:rw- group::r-- group:jedi:rw- mask::rw- other::r--
- g:jedi:rw ⇒ group “jedi” with read and write permissions
Set default ACL for new files/directories created within dir1 for users
setfacl -m d:u::rw dir1
- Note: Default permissions does NOT give those permissions to dir1 itself
Remove default ACLs
setfacl --remove-default dir
- Remove all ACLs (including default): setfacl –remove-all dir
Remove a single user's ACL
setfacl -x u:yoda file1 OR setfacl --remove u:yoda file1
Copy ACL from file1 and apply it to file2
getfacl file1 | setfacl --set-file=- file2
- Notice the –set-file=-, the “-” means from standard input