Probably more familiar to you are standard POSIX permissions: permissions for the owner of a file, a group and all others. But what when you need more permissions than just these three? In come ACLs.
I’m working with CentOS, but it should be the same on any other distro.
The two commands to understand are ‘setfacl’ and ‘getfacl’. But first do a ‘ls -al’ on, for instance, the root home directory:
[root@centos7 ~]# ls -al total 36 dr-xr-x---. 4 root root 175 Jun 27 02:44 . dr-xr-xr-x. 17 root root 224 Jun 13 21:01 .. -rw-------. 1 root root 1102 Jun 27 00:38 .bash_history -rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout -rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile -rw-r--r--. 1 root root 176 Dec 28 2013 .bashrc -rw-r--r--. 1 root root 100 Dec 28 2013 .cshrc drwxr-xr-x+ 2 root root 6 Jun 27 02:44 mytestdir -rw-r--r--+ 1 root root 5 Jun 27 02:44 mytestfile
As you probably know since you are reading about advanced permission and not basic permissions, these characters are representing the type (d), owner (r-x), the group (r-x) and others (—):
But mind the small . on the end. The dot means that a SELinux context is active on the file (as with all files in a RHEL based system). When this . is a + it means that ACLs are set!
Get a closer look at them with:
# getfacl mytestfile
You can see that besides the group ‘root’ a group called ‘extrastaff’ has read permissions to this file:
# file: mytestfile # owner: root # group: root user::rw- group::r-- group:extrastaff:r-- mask::r-- other::r--
These examples are very simple of course, but you get the idea. Now let’s edit some. Add user ‘tom’ with read permission:
# setfacl -m u:tom:r-- mytestfile
And ‘wendy’ can also write to the file:
# setfacl -m u:wendy:rw- mytestfile
User ‘jack’ and any others shouldn’t be able to even read the file:
# setfacl -m u:jack:--- mytestfile # setfacl -m o::--- mytestfile
And we want to modify the ACLs in such a way that the ‘extrastaff’ group can also write to the file, in addition to the current read privileges:
# setfacl -m g:extrastaff:rw- mytestfile
This all immediately shows what a couple of these letters mean.
- -m is for modify
- u is for user
- g if for group
- o is for others
Have a look at the current privileges:
# file: mytestfile # owner: root # group: root user::rw- user:tom:r-- user:wendy:rw- user:jack:--- group::r-- group:extrastaff:rw- mask::rw- other::---
Introducing ACLs also introduce the ‘mask’. This determines the maximum level of allowed permissions on a file or folder. The mask is leading. When a user can read and write permissions but the mask is read, the user can only read.
Always set the mask (if needed of course) after applying normal privileges, like so:
# setfacl -m m::r mytestfile
You could test with ‘wendy’ and see that she cannot write to the file although her ACLs do allow it (but the mask don’t).
Setting ACLs recursive on directories can be done with the -R flag:
# setfacl -R -m u:jack:--- mytestdir
Then there are defaults that you can set on a directory. This determines the default ACLs on all child directories and files. Let’s say by default you want to have the group ‘extrastaff’ to have all permissions (files will be without the execute permission though):
# setfacl -d -m g:extrastaff:rwx mytestdir
And now you’ll want the exact same permissions on a new directory. Simple:
# mkdir mynewdir # getfacl mytestdir | setfacl --set-file=- mynewdir
Finally let’s remove some ACLs. Remove defaults:
# setfacl -k mynewdir
Remove a specific user or group:
# setfacl -x u:wendy: mytestfile
# setfacl -b mytestfile
One final note that might be good to know is that when copying files or folders, ACLs won’t be preserved where while moving them, you’ll keep them.