Traditional UNIX file protection provides read, write, and execute permissions for the three user classes: file owner, file group, and other. An ACL provides better file security by enabling you to define file permissions for the file owner, file group, other, specific users and groups, and default permissions for each of those categories.
For example, if you wanted everyone in a group to be able to read a file, you would simply give group read permissions on that file. Now, assume you wanted only one person in the group to be able to write to that file. Standard UNIX doesn't provide that level of file security. However, this dilemma is perfect for ACLs.
ACL entries are the way to define an ACL on a file, and they are set through the setfacl(1) command. ACL entries consist of the following fields separated by colons:
entry_type:[uid|gid]:perms |
entry_type |
Type of ACL entry on which to set file permissions. For example, entry_type can be user (the owner of a file) or mask (the ACL mask). |
uid |
User name or identification number. |
gid |
Group name or identification number. |
perms |
Represents the permissions that are set on entry_type. perms can be indicated by the symbolic characters rwx or a number (the same permissions numbers used with the chmod command). |
The following example shows an ACL entry that sets read/write permissions for the user nathan.
user:nathan:rw- |
UFS file system attributes such as ACLs are supported in UFS file systems only. This means that if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.
The table below lists the valid ACL entries. The first three ACL entries provide the basic UNIX file protection.
Table 17-8 ACL Entries for Files
ACL Entry |
Description |
---|---|
u[ser]::perms |
File owner permissions. |
g[roup]::perms |
File group permissions. |
o[ther]:perms |
Permissions for users other than the file owner or members of file group. |
m[ask]:perms |
The ACL mask. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they might have write/execute permissions. |
u[ser]:uid:perms |
Permissions for a specific user. For uid, you can specify either a user name or a numeric UID. |
g[roup]:gid:perms |
Permissions for a specific group. For gid, you can specify either a group name or a numeric GID. |
In addition to the ACL entries described in Table 17-8, you can set default ACL entries on a directory. Files or directories created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. The table below lists the default ACL entries for directories.
When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the file owner, file group, others, and the ACL mask (these are required and are the first four default ACL entries in the table below).
Table 17-9 Default ACL Entries for Directories
Default ACL Entry |
Description |
---|---|
d[efault]:u[ser]::perms |
Default file owner permissions. |
d[efault]:g[roup]::perms |
Default file group permissions. |
d[efault]:o[ther]:perms |
Default permissions for users other than the file owner or members of the file group. |
d[efault]:m[ask]:perms |
Default ACL mask. |
d[efault]:u[ser]:uid:perms |
Default permissions for a specific user. For uid, you can specify either a user name or a numeric UID. |
d[efault]:g[roup]:gid:perms |
Default permissions for a specific group. For gid, you can specify either a group name or a numeric GID. |
Set an ACL on a file by using the setfacl command.
$ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename ... |
-s |
Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the file owner, file group, and other entries. |
user::perms |
Specifies the file owner permissions. |
group::perms |
Specifies the file group permissions. |
other:perms |
Specifies the permissions for users other than the file owner or members of the file group. |
mask:perms |
Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups. |
acl_entry_list |
Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 17-8 and Table 17-9 show the valid ACL entries. |
filename |
Specifies one or more files or directories on which to set the ACL. |
To verify that an ACL was set on the file, see "How to Check If a File Has an ACL". To verify which ACL entries were set on the file, use the getfacl command.
$ getfacl filename |
If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL.
The following example sets the file owner permissions to read/write, file group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions are set to read/write, which means no user or group can have execute permissions.
$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:george:rw- ch1.doc $ ls -l total 124 -rw-r-----+ 1 nathan sysadmin 34816 Nov 11 14:16 ch1.doc -rw-r--r-- 1 nathan sysadmin 20167 Nov 11 14:16 ch2.doc -rw-r--r-- 1 nathan sysadmin 8192 Nov 11 14:16 notes $ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:--- |
The following example sets the file owner permissions to read/write/execute, file group permissions to read only, other permissions to none, and the ACL mask permissions to read on the ch2.doc file. In addition, the user george is given read/write permissions; however, due to the ACL mask, the effective permissions for george are read only.
$ setfacl -s u::7,g::4,o:0,m:4,u:george:7 ch2.doc $ getfacl ch2.doc # file: ch2.doc # owner: nathan # group: sysadmin user::rwx user:george:rwx #effective:r-- group::r-- #effective:r-- mask:r-- other:--- |
Copy a file's ACL to another file by redirecting the getfacl output.
$ getfacl filename1 | setfacl -f - filename2 |
filename1 |
Specifies the file from which to copy the ACL. |
filename2 |
Specifies the file on which to set the copied ACL. |
The following example copies the ACL on ch2.doc to ch3.doc.
$ getfacl ch2.doc | setfacl -f - ch3.doc |
Check if a file has an ACL by using the ls command.
$ ls -l filename |
filename |
Specifies the file or directory. |
A plus sign (+) to the right of the mode field indicates the file has an ACL.
Unless you have added ACL entries for additional users or groups on a file, a file is considered to be a "trivial" ACL and the + will not display.
The following example shows that ch1.doc has an ACL, because the listing has. a `+' to the right of the mode field.
$ ls -l ch1.doc -rwxr-----+ 1 nathan sysadmin 167 Nov 11 11:13 ch1.doc |
Modify ACL entries on a file by using the setfacl command.
$ setfacl -m acl_entry_list filename1 [filename2 ...] |
-m |
Modifies the existing ACL entry. |
acl_entry_list |
Specifies the list of one or more ACL entries to modify on the file or directory. You can also modify default ACL entries on a directory. Table 17-8 and Table 17-9 show the valid ACL entries. |
filename ... |
Specifies one or more files or directories. |
To verify that the ACL entries were modified on the file, use the getfacl command.
$ getfacl filename |
The following example modifies the permissions for the user george to read/write.
$ setfacl -m user:george:6 ch3.doc $ getfacl ch3.doc # file: ch3.doc # owner: nathan # group: staff user::rw- user::george:rw- #effective:r-- group::r- #effective:r-- mask:r-- other:r- |
The following example modifies the default permissions for the group staff to read and the default ACL mask permissions to read/write on the book directory.
$ setfacl -m default:group:staff:4,default:mask:6 book |
Delete ACL entries from a file by using the setfacl command.
$ setfacl -d acl_entry_list filename1 ... |
-d |
Deletes the specified ACL entries. |
acl_entry_list |
Specifies the list of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 17-8 and Table 17-9 show the valid ACL entries. |
filename ... |
Specifies one or more files or directories. |
Alternately, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries specified.
To verify that the ACL entries were deleted from the file, use the getfacl command.
$ getfacl filename |
The following example deletes the user george from the ch4.doc file.
$ setfacl -d user:george ch4.doc |
Display ACL entries for a file by using the getfacl command.
$ getfacl [-a | -d] filename1 ... |
-a |
Displays the file name, file owner, file group, and ACL entries for the specified file or directory. |
-d |
Displays the file name, file owner, file group, and default ACL entries for the specified directory. |
filename ... |
Specifies one or more files or directories. |
If you specify multiple file names on the command line, the ACL entries are separated by a blank line.
The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.
$ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:r-- #effective:r-- group::rw- #effective:rw- mask:rw- other:--- |
The following example shows the default ACL entries for the book directory.
$ getfacl -d book# file: book # owner: nathan # group: sysadmin user::rwx user:george:r-x #effective:r-x group::rwx #effective:rwx mask:rwx other:--- default:user::rw- default:user:george:r-- default:group::rw- default:mask:rw- default:other:--- |