test

System Administration Guide: Security Services

ProcedureHow to Add ACL Entries to a File

  1. Set an ACL on a file by using the setfacl command.


    % setfacl -s user::perms,group::perms,other:perms,mask:perms,acl-entry-list filename ...
    -s

    Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the user::, group::, and other:: entries.

    user::perms

    Specifies the file owner permissions.

    group::perms

    Specifies the group ownership permissions.

    other:perms

    Specifies the permissions for users other than the file owner or members of the group.

    mask:perms

    Specifies the permissions for the ACL mask. The mask indicates the maximum permissions that are allowed for users (other than the owner) and for groups.

    acl-entry-list

    Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 6–7 and Table 6–8 show the valid ACL entries.

    filename ...

    Specifies one or more files or directories on which to set the ACL. Multiple filenames are separated by spaces.

    Caution – Caution –

    If an ACL already exists on the file, the -s option replaces the entire ACL with the new ACL.

    For more information, see the setfacl(1) man page.

  2. Verify that the ACL entries were set on the file.


    % getfacl filename

    For more information, see How to Check if a File Has an ACL.

Example 6–7 Setting an ACL on a File

In the following example, the file owner permissions are set to read and write, file group permissions are set to read only, and other permissions are set to none on the ch1.sgm file. In addition, the user anusha is given read and write permissions on the file. The ACL mask permissions are set to read and write, which means that no user or group can have execute permissions.


% setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:anusha:rw- ch1.sgm
% ls -l
total 124
-rw-r-----+  1 stacey  techpubs   34816 Nov 11 14:16 ch1.sgm
-rw-r--r--   1 stacey  techpubs   20167 Nov 11 14:16 ch2.sgm
-rw-r--r--   1 stacey  techpubs    8192 Nov 11 14:16 notes
% getfacl ch1.sgm
# file: ch1.sgm
# owner: stacey
# group: techpubs
user::rw-
user:anusha:rw-    #effective:rw-
group::r--         #effective:r--
mask:rw-
other:---

In the following example, the file owner permissions are set to read, write, and execute, file group permissions are set to read only, other permissions are set to none. In addition, the ACL mask permissions are set to read on the ch2.sgm file. Finally, the user anusha is given read and write permissions. However, due to the ACL mask, the permissions for anusha are read only.


% setfacl -s u::7,g::4,o:0,m:4,u:anusha:7 ch2.sgm
% getfacl ch2.sgm
# file: ch2.sgm
# owner: stacey
# group: techpubs
user::rwx
user:anusha:rwx         #effective:r--
group::r--              #effective:r--
mask:r--
other:---