ACL Guide
The two commands necessary for implementing filesystem ACLs are:
First, lets look at the getfacl command.
[wmason@devnull tmp]$ touch testfile [wmason@devnull tmp]$ ls -l testfile -rw-rw-r-- 1 wmason wmason 0 Oct 17 13:29 testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rw- group::rw- other::r--
This should all look pretty normal if you understand Unix file permissions. Next, let's grant user "hulet" with read and write access to the "testfile".
[wmason@devnull tmp]$ setfacl -m u:hulet:rw- testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rw- user:hulet:rw- group::rw- mask::rw- other::r-- [wmason@devnull tmp]$ ls -l testfile -rw-rw-r--+ 1 wmason wmason 0 Oct 17 13:29 testfile
Notice that there is an extra user entry in the output from getfacl, and there is a "+" next to the output from the ls command. The "+" indicates that an ACL has been applied to the file. In addition to the new user entry, there is now a new "mask" entry in the output from getfacl. This is the effective rights mask. This entry limits the effective rights granted to all ACL groups and users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence.
Next, let's grant user "ahock" and group "admin" read and write access. But first, we will remove read access from Other.
[wmason@devnull tmp]$ chmod o-r testfile [wmason@devnull tmp]$ ls -l testfile -rw-rw----+ 1 wmason wmason 0 Oct 17 13:29 testfile [wmason@devnull tmp]$ setfacl -m u:ahock:rw-,g:admin:rw- testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rw- user:hulet:rw- user:ahock:rw- group::rw- group:admin:rw- mask::rw- other::---
Next, let's modify the "mask" entry to only allow read access.
[wmason@devnull tmp]$ setfacl -m mask::r-- testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rw- user:hulet:rw- #effective:r-- user:ahock:rwx #effective:r-- group::rw- #effective:r-- group:admin:rwx #effective:r-- mask::r-- other::---
The ACL now shows an "effective" rights mask. This demonstrates the precedence that "mask" takes over ACL permissions. Next, we will use the setfacl command to change normal User, Group, and Other permissions. This can be used instead of chmod.
[wmason@devnull tmp]$ setfacl -m u::rwx,g::rwx,o::rwx testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rwx user:hulet:rw- user:ahock:rwx group::rwx group:admin:rwx mask::rwx other::rwx
Notice that the "mask" has changed. When you change the permissions of a user or a group with setfacl, the "mask" is also changed. If you want a restrictive "mask", it must be applied after the user and group permissions. Also notice that the chmod command will modify the "mask" entry too.
Below you will find several examples of setfacl common usage.
Remove specific ACL entry
You can remove a specific ACL entries with the -x option. In this example, we will remove the entry for user "ahock".
[wmason@devnull tmp]$ setfacl -x u:ahock testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rwx user:hulet:rw- group::rwx group:admin:rwx mask::rwx other::rwx
Remove entire ACL
To completely remove an ACL from a file or directory:
[wmason@devnull tmp]$ setfacl -b testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rwx group::rwx other::rwx
Explicitly set all ACL permissions
To explicitly set all of the file permissions on a file or a group of files, you must use the --set option. This is different from the -m option, which only modifies the existing ACL. The --set option replaces all permissions and ACLs with the new values.
[wmason@devnull tmp]$ setfacl --set u::rw,g::rw,o::-,u:hulet:rw- testfile [wmason@devnull tmp]$ getfacl testfile # file: testfile # owner: wmason # group: wmason user::rw- user:hulet:rw- group::rw- mask::rw- other::---
Recursively set ACLs
If you want to apply ACLs to an entire directory and all of its subdirectories, use the -R option.
[wmason@devnull tmp]$ mkdir test [wmason@devnull tmp]$ touch test/testfile1 [wmason@devnull tmp]$ rmdir test [wmason@devnull tmp]$ mkdir testdir [wmason@devnull tmp]$ touch testdir/testfile1 [wmason@devnull tmp]$ setfacl -R -m u:hulet:rwx testdir [wmason@devnull tmp]$ getfacl testdir # file: testdir # owner: wmason # group: wmason user::rwx user:hulet:rwx user:wmason:rwx group::rwx mask::rwx other::r-x [wmason@devnull tmp]$ getfacl testdir/testfile1 # file: testdir/testfile1 # owner: wmason # group: wmason user::rw- user:hulet:rwx user:wmason:rwx group::rw- mask::rwx other::r--
ACL file template
You can save a common ACL as a text file and use it to apply ACLs to other files. For example:
[wmason@devnull tmp]$ cat acltemplate user::rw- user:hulet:rwx user:wmason:rwx group::rw- mask::rwx other::r-- [wmason@devnull tmp]$ touch testfile3 [wmason@devnull tmp]$ setfacl -M acltemplate testfile3 [wmason@devnull tmp]$ getfacl testfile3 # file: testfile3 # owner: wmason # group: wmason user::rw- user:hulet:rwx user:wmason:rwx group::rw- mask::rwx other::r--
Default ACL
There are two types of ACLs, "access" and "default". So far, we have been using "access" ACLs. The default ACL is only applied to directories, and it defines the permissions that a newly created file or directory inherits from its parent directory.
[wmason@devnull tmp]$ mkdir testdir2 [wmason@devnull tmp]$ setfacl -d -m u:hulet:rwx testdir2 [wmason@devnull tmp]$ touch testdir2/testfile1 [wmason@devnull tmp]$ getfacl testdir2/testfile1 # file: testdir2/testfile1 # owner: wmason # group: wmason user::rw- user:hulet:rwx #effective:rw- group::rwx #effective:rw- mask::rw- other::r--
Preserving ACLs
Three major file utilities, ls, cp, and mv have been updated to handle ACLs. The mv command will always preserve ACLs if it is possible. If it is not possible, it will issue a warning. The cp command will only preserve ACLs if used with the -p or -a options. In both cases, if you are trying to copy/move from a filesystem that supports ACLs to a filesystem that does not, only the standard Unix permissions will be retained. A warning message will be displayed when you lose ACLs.
[wmason@devnull tmp]$ cp testfile /home cp: preserving permissions for `/home/testfile': Operation not supported
Copying ACLs
If you have a complex ACL, you can easily copy it to other files by piping the output of the getfacl command into the setfacl command.
[wmason@devnull tmp]$ getfacl testfile | setfacl --set-file=- testdir/testfile* [wmason@devnull tmp]$ getfacl testdir/testfile1 # file: testdir/testfile1 # owner: wmason # group: wmason user::rw- user:hulet:rw- group::rw- mask::rw- other::---