test

System Administration Guide

Using Access Control Lists (ACLs)

The traditional UNIX file protection provides read, write, and execute permissions for the three user classes: owner, group, and other. An ACL provides better file security by enabling you to define file permissions for the owner, owner's group, others, specific users and groups, and default permissions for each of those categories.

For example, assume you had a file that you wanted everyone in a group to be able to read. With that situation, you would give group read permissions on that file. Now, assume you wanted only one person in the group to be able to write to that file. Standard UNIX doesn't let you set that up. However, you could set up an ACL for that file to give only one person in the group write permissions on the file.

Table 51-8 lists the ACL commands that you can use on files or directories.

Table 51-8 ACL Commands

Command 

Description 

setfacl(1)  

Sets, adds, modifies, and deletes ACL entries 

getfacl(1)  

Displays ACL entries  

ACL entries are the way to define an ACL on a file, and they are set through the ACL commands. ACL entries consist of the following fields separated by colons: 


entry_type:[uid|gid]:perms

In an ACL entry,

entry_type

Type of ACL entry on which to set file permissions. For example, entry_type can be user (the owner of a file) or mask (the ACL mask).

uid

User name or identification number. 

gid

Group name or identification number. 

perms

Represents the permissions that are set on entry_type. perms can be indicated by the symbolic characters rwx or a number (the same permissions numbers used with the chmod command).

The following example shows an ACL entry that sets read/write permissions for the user nathan.


user:nathan:rw-
Caution - Caution -

UFS file system attributes such as ACLs are supported in UFS file systems only. This means that if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.

ACL Entries for Files

Table 51-9 lists the valid ACL entries. The first three ACL entries provide the basic UNIX file protection.

Table 51-9 ACL Entries for Files

ACL Entry 

Meaning 

 
u[ser]::perms

The owner's permissions. 

 
g[roup]::perms

Permissions for the owner's group. 

 
o[ther]:perms

Permissions for users other than the owner or members of the owner's group. 

 
m[ask]:perms

The ACL mask. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. 

For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they may have write/execute permissions. 

u[ser]:uid:perms

Permissions for a specific user. 

 
g[roup]:gid:perms

Permissions for a specific group. 

ACL Entries for Directories

In addition to the ACL entries described in Table 51-9, you can set default ACL entries on a directory that will apply to files created within the directory. Files created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 51-10 lists the default ACL entries for directories.

When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the owner, owner's group, others, and the mask (these are required and are the first four default ACL entries in Table 51-10).

Table 51-10 Default ACL Entries for Directories

Default ACL Entry 

Meaning 

 
d[efault]:u[ser]::perms

Default owner's permissions. 

 
d[efault]:g[roup]::perms

Default permissions for the owner's group. 

 
d[efault]:o[ther]:perms

Default permissions for users other than the owner or members of the owner's group. 

 
d[efault]:m[ask]:perms

Default ACL mask. 

 
d[efault]:u[ser]:uid:perms

Default permissions for a specific user. 

 
d[efault]:g[roup]:gid:perms

Default permissions for a specific group.  

How to Set ACL Entries on a File

  1. Set ACL entries on a file by using the setfacl command. 


    $ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list
filename ...

    -s

    Replaces the entire ACL with the new ACL entries, if an ACL already exists on the file. 

    		 
    user::perms

    Specifies the owner's permissions. 

    		 
    group::perms

    Specifies the permissions for the owner's group. 

    		 
    other:perms

    Specifies the permissions for users other than the owner or members of the owner's group. 

    		 
    mask:perms

    Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups. 

    acl_entry_list

    Is the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 51-9 and Table 51-10 show the valid ACL entries.

    filename

    File or directory on which to set the ACL entries.  

  2. To verify that an ACL was set on the file, see "How to Check If a File Has an ACL". To verify which ACL entries were set on the file, use the getfacl command. 


    $ getfacl filename
Caution - Caution -

If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL entries.

Examples--Setting ACL Entries on a File

The following example sets the user permissions to read/write, group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions is set to read/write, which means no user or group can have execute permissions. 


$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,
user:george:rw-
ch1.doc
$ ls -l
total 124
-rw-r-----+  1 nathan  sysadmin   34816 Nov 11 14:16 ch1.doc
-rw-r--r--   1 nathan  sysadmin   20167 Nov 11 14:16 ch2.doc
-rw-r--r--   1 nathan  sysadmin    8192 Nov 11 14:16 notes
$ getfacl ch1.doc
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw-    #effective:rw-
group::r--         #effective:r--
mask:rw-
other:---

The following example sets the user permissions to read/write/execute, group permissions to read only, and other permissions to none on the ch2.doc file. In addition, users in the sysadmin group are given read/write permissions on the file, and the ACL mask permissions is set to read/write.


$ setfacl -s u::7,g::4,o:0,g:sysadmin:6,m:6 ch2.doc 
$ getfacl ch2.doc

How to Check If a File Has an ACL

Check if a file has an ACL by using the ls command. 


$ ls -l filename

filename

File or directory that you want to check. 

A `+' to the right of the mode field indicates the file has an ACL.

Example--Checking If a File Has an ACL

The following example shows that ch1.doc has an ACL.


$ ls -l ch1.doc
-rwxr-----+  1 nathan   sysadmin      167 Nov 11 11:13 ch1.doc

How to Add or Modify ACL Entries on a File

  1. Add or modify ACL entries on a file by using the setfacl command. 


    $ setfacl -m acl_entry_list filename1 [filename2...]
    -m

    Modifies the existing ACL entry. 

    acl_entry_list

    List of one or more ACL entries to add or modify on the file or directory. You can also add or modify default ACL entries on a directory. Table 51-9 and Table 51-10 show the valid ACL entries.

    filename ...

    File or directory on which to add or modify ACL entries. 

  2. To verify that the ACL entries were added or modified on the file, use the getfacl command.


    $ getfacl filename

Examples--Adding or Modifying ACL Entries on a File

The following example adds read/write permissions for the user george on the ch3.doc file. 


$ setfacl -m user:george:6 ch3.doc
getfacl ch3.doc
# file: ch3.doc
# owner: george
# group: staff
user::rw-				
user::george:rw-				#effective:rw-
group::r-						#effective:r--
mask:r--
other:r--

The following example adds default ACL entries for the book directory, which already has a default entry specified for the owner of the directory, for the group owner of the directory, and for others. The users in the staff group are given read permissions and the required default mask is set to read/write.


$ setfacl -m default:group:staff:4,default:mask:6 book
getfacl book

How to Delete ACL Entries From a File

  1. Delete ACL entries from a file by using the setfacl command. 


    $ setfacl -d acl_entry_list filename1 ... 

    -d

    Deletes the specified ACL entries. 

    acl_entry_list

    List of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 51-9 and Table 51-10 show the valid ACL entries.

    filename ...

    File or directory from which to delete the ACL entries. 

    Alternately, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries specified.

  2. To verify that the ACL entries were deleted from the file, use the getfacl command.


    $ getfacl filename

Example--Deleting ACL Entries on a File

The following example deletes read permission for the user nigel on the ch4.doc file. 


$ setfacl -d user:nigel:4 ch4.doc
$ getfacl ch4.doc
# file: ch4.doc
# owner: nigel
# group: staff
user::r--
group::r--					#effective:r--
other:r--

How to Display ACL Entries for a File

Display ACL entries for a file by using the getfacl command. 


$ getfacl [-a | -d] filename1 ...

-a

Displays the file name, owner, group, and ACL entries for the specified file or directory. 

-d

Displays the file name, owner, group, and default ACL entries for the specified directory. 

filename ...

File or directory for which to display the ACL entries. 

If you specify multiple file names on the command line, the ACL entries are separated by a blank line.

Examples--Displaying ACL Entries for a File

The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.


$ getfacl ch1.doc
 
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw-         #effective:rw-
group::r--              #effective:r--
mask:rw-
other:---

The following example shows the default ACL entries for the book directory.


$ getfacl -d book
 
# file: book
# owner: nathan
# group: sysadmin
default:user::rw-
default:user:george:r--
default:group::rw-
default:mask:rw-
default:other:r--