Linux File ACL extended permissions

The POSIX permissions are that each file or directory has an owner, group, and other with read, write, and executable bits, but only one user and one group.
ACL are an extended set of permissions.
ACL add additional access that can be used to define additional groups/users and extended different permissions for each user or group.

The mask permissions is the effective access permission, even if you set a higher permission than the mask, the mask will be the one that really be used.

There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.

The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:

setfacl -m <rules> <files>

Rules (<rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.

u:<uid>:<perms>
Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
g:<gid>:<perms>
Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.
m:<perms>
Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
o:<perms>
Sets the access ACL for users other than the ones in the group for the file.

Whitespace is ignored. Permissions (<perms>) must be a combination of the characters r, w, and x for read, write, and execute.

Examples:

For more information how to use setfacl utility:

~ # man setfacl
~ # setfacl --help

Show current File ACL using getfacl utility

~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
01. Adding ACL rules:

To give read and write permissions to user sales:

~ # setfacl -m u:sales:rw test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:sales:rw-
group::r-x
mask::rwx
other::r-x

Notice that user:sales:rw- permission line was added.
ls -l command will not show this ACLs but will indicate the existence of ACL by plus sign (+) at the end of permissions.

~ # ls -ld test/
drwxrwxr-x+ 1 root root 0 Apr 27 09:47 test/

To give read and execute permissions to sales group

~ # setfacl -m g:sales:rx test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:sales:rw-
group::r-x
group:sales:r-x
mask::rwx
other::r-x

You can as many users or groups as you want with different permissions.
What if you want to remove any rule ?
-m option used to add or modify.
-x option used to remove ( -x u:USER OR -x g:GROUP )

02. Remove and ACL rule:

To remove ACL rule for user sales

~ # setfacl -x u:sales test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
group::r-x
group:sales:r-x
mask::r-x
other::r-x
03. Set ACL mask:

To set a mask ( the allowed effective permissions)

~ # setfacl -m m::r test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:sales:rwx            #effective:r--
group::r-x            #effective:r--
group:sales:r-x            #effective:r--
mask::r--
other::r-x

That will affect all permissions except for the owner and the others.
IF you added or modified ACL rule , the new mask will be the same as the new permissions you set with that rule.

Add an ACL rule for new user and watch the new mask

~ # setfacl -m u:account:rwx test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:sales:rwx
user:account:rwx
group::r-x
group:sales:r-x
mask::rwx
other::r-x
04. Setting other permissions using setfacl:

To set ACL for other , it doesn’t add any group , there only one other permission , you always set it using chmod utility , but also can do the same with setfacl utility.

~ # chmod o+rwx test/
~ # ls -ld test/
drwxrwxrwx+ 1 root root 0 Apr 27 09:47 test/
~ # setfacl -m o:rx test/
~ # ls -ld test/
drwxrwxr-x+ 1 root root 0 Apr 27 09:47 test/
05. Set default ACL rules:

To set a default permission for a user or group to affect sub folders or files if no ACL is set , use d:<u/g/o>:<perms>

# To set default for owner user:

setfacl -m d::rw test/

# The group and other defaults will inherit from the owner group and other, unless you set it manually.
# To set default rule for specific user or group, use u/g and the name

setfacl -m d:u:john:rwx test/

# if you don’t specify user or group names while using user or group indicator ( u/g) it will set defaults for the owner user and group.

To set default ACL rule for user sales:

~ # setfacl -m d:u:sales:rw test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:sales:rwx
user:account:rwx
user:ahmed:---
group::r-x
group:sales:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:sales:rw-
default:group::r-x
default:mask::rwx
default:other::r-x

Did you notice? we only set default for user sales,
but it also inherited and set default for the owner user and group and other and also inherited the mask .. interesting !!

06. Remove all default rules at once:

What if we want to remove all default rules at once?
use  -k  option !

~ # setfacl -k test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:sales:rwx
user:account:rwx
user:ahmed:---
group::r-x
group:sales:r-x
mask::rwx
other::r-x
07. Remove all ACL rules at once :

What if we want to remove all ACL rules from a file or directory?
use -b option

~ # setfacl -b test/
~ # getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

~ # ls -ld test/
drwxr-xr-x 1 root root 10 Apr 27 10:40 test/

Notice, it is back to default.

That was Linux File ACL , i hope it was simple.
Thanks for joining me.

Enjoy !.

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s