17.8 About Access Control Lists

17.8.1 Configuring ACL Support
17.8.2 Setting and Displaying ACLs

POSIX Access Control Lists (ACLs) provide a richer access control model than traditional UNIX Discretionary Access Control (DAC) that sets read, write, and execute permissions for the owner, group, and all other system users. You can configure ACLs that define access rights for more than just a single user or group, and specify rights for programs, processes, files, and directories. If you set a default ACL on a directory, its descendents inherit the same rights automatically. You can use ACLs with btrfs, ext3, ext4, OCFS2, and XFS file systems and with mounted NFS file systems.

An ACL consists of a set of rules that specify how a specific user or group can access the file or directory with which the ACL is associated. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only, and specifies default access information for any file within the directory that does not have an access ACL.

17.8.1 Configuring ACL Support

To enable ACL support:

  1. Install the acl package:

    # yum install acl
  2. Edit /etc/fstab and change the entries for the file systems with which you want to use ACLs so that they include the appropriate option that supports ACLs, for example:

    LABEL=/work      /work       ext4     acl     0 0

    For mounted Samba shares, use the cifsacl option instead of acl.

  3. Remount the file systems, for example:

    # mount -o remount /work

17.8.2 Setting and Displaying ACLs

To add or modify the ACL rules for file, use the setfacl command:

# setfacl -m rules file ...

The rules take the following forms:

[d:]u:user[:permissions]

Sets the access ACL for the user specified by name or user ID. The permissions apply to the owner if a user is not specified.

[d:]g:group[:permissions]

Sets the access ACL for a group specified by name or group ID. The permissions apply to the owning group if a group is not specified.

[d:]m[:][:permissions]

Sets the effective rights mask, which is the union of all permissions of the owning group and all of the user and group entries.

[d:]o[:][:permissions]

Sets the access ACL for other (everyone else to whom no other rule applies).

The permissions are r, w, and x for read, write, and execute as used with chmod.

The d: prefix is used to apply the rule to the default ACL for a directory.

To display a file's ACL, use the getfacl command, for example:

# getfacl foofile
# file: foofile
# owner: bob
# group: bob
user::rw-
user::fiona:r--
user::jack:rw-
user::jill:rw-
group::r--
mask::r--
other::r--

If extended ACLs are active on a file, the -l option to ls displays a plus sign (+) after the permissions, for example:

# ls -l foofile
-rw-r--r--+ 1 bob bob  105322 Apr 11 11:02 foofile

The following are examples of how to set and display ACLs for directories and files.

Grant read access to a file or directory by a user.

# setfacl -m u:user:r file

Display the name, owner, group, and ACL for a file or directory.

# getfacl file

Remove write access to a file for all groups and users by modifying the effective rights mask rather than the ACL.

# setfacl -m m::rx file

The -x option removes rules for a user or group.

Remove the rules for a user from the ACL of a file.

# setfacl -x u:user file

Remove the rules for a group from the ACL of a file.

# setfacl -x g:group file

The -b option removes all extended ACL entries from a file or directory.

# setfacl –b file

Copy the ACL of file f1 to file f2.

# getfacl f1 | setfacl --set-file=- f2

Set a default ACL of read and execute access for other on a directory:

# setfacl -m d:o:rx directory

Promote the ACL settings of a directory to default ACL settings that can be inherited.

# getfacl --access directory | setfacl -d -M- directory

The -k option removes the default ACL from a directory.

# setfacl –k directory

For more information, see the acl(5), setfacl(1), and getfacl(1) manual pages.