test

System Administration Guide, Volume 2

How to Set an ACL on a File

  1. Set an ACL on a file by using the setfacl command. 


    $ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename ...

    -s

    Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the file owner, file group, and other entries. 

    user::perms

    Specifies the file owner permissions. 

    group::perms

    Specifies the file group permissions. 

    other:perms

    Specifies the permissions for users other than the file owner or members of the file group. 

    mask:perms

    Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups. 

    acl_entry_list

    Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 17-8 and Table 17-9 show the valid ACL entries.

    filename

    Specifies one or more files or directories on which to set the ACL.  

  2. To verify that an ACL was set on the file, see "How to Check If a File Has an ACL". To verify which ACL entries were set on the file, use the getfacl command. 


    $ getfacl filename
Caution - Caution -

If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL.

Examples--Setting an ACL on a File

The following example sets the file owner permissions to read/write, file group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions are set to read/write, which means no user or group can have execute permissions. 


$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:george:rw- ch1.doc
$ ls -l
total 124
-rw-r-----+  1 nathan  sysadmin   34816 Nov 11 14:16 ch1.doc
-rw-r--r--   1 nathan  sysadmin   20167 Nov 11 14:16 ch2.doc
-rw-r--r--   1 nathan  sysadmin    8192 Nov 11 14:16 notes
$ getfacl ch1.doc
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw-    #effective:rw-
group::r--         #effective:r--
mask:rw-
other:---

The following example sets the file owner permissions to read/write/execute, file group permissions to read only, other permissions to none, and the ACL mask permissions to read on the ch2.doc file. In addition, the user george is given read/write permissions; however, due to the ACL mask, the effective permissions for george are read only.


$ setfacl -s u::7,g::4,o:0,m:4,u:george:7 ch2.doc
$ getfacl ch2.doc
# file: ch2.doc
# owner: nathan
# group: sysadmin
user::rwx
user:george:rwx         #effective:r--
group::r--              #effective:r--
mask:r--
other:---