Red Hat System Administration II

Objectives

After completing this section, students should be able to:

Changing ACL file permissions

Use setfacl to add, modify, or remove standard ACLs on files and directories.

ACLs use the normal file system representation of permissions, "r" for read permission, "w" for write permission, and "x" for execute permission. A "-" (dash) indicates that the relevant permission is absent. When (recursively) setting ACLs, an uppercase "X" can be used to indicate that execute permission should only be set on directories and not regular files, unless the file already has the relevant execute permission. This is the same behavior as chmod.

Adding or modifying an ACL

ACLs can be set via the command line using -m, or passed in via a file using -M (use "-" (dash) instead of a file name for stdin). These two options are the "modify" options; they add new ACL entries or replace specific existing ACL entries on a file or directory. Any other existing ACL entries on the file or directory remain untouched.

When first defining an ACL on a file, if the add operation does not include settings for the file owner, group-owner, or other permissions, then they will be set based on the current standard file permissions (these are also known as the base ACLs and cannot be deleted), and a new mask value will be calculated and added as well.

To add or modify a user or named user ACL:

[student@serverX ~]$ setfacl -m u:name:rX file

If name is left blank, then it applies to the file owner, otherwise name can be a username or UID value. In this example, the permissions granted would be read-only, and if already set, execute (unless file was a directory, in which case the directory would get the execute permission set to allow directory search).

ACL file owner and standard file owner permissions are equivalent; consequently, using chmod on the file owner permissions is equivalent to using setfacl on the file owner permissions. chmod has no effect on named users.

To add or modify a group or named group ACL:

[student@serverX ~]$ setfacl -m g:name:rw file

This follows the same pattern for adding or modifying a user ACL. If name is left blank, then it applies to the group-owner. Otherwise, specify a group name or GID value for a named group. The permissions would be read and write in this example.

chmod has no effect on any group permissions for files with ACL settings, but it updates the ACL mask.

To add or modify the other ACL:

[student@serverX ~]$ setfacl -m o::- file

other only accepts permission settings. It is common for the permission to be set to "-" (dash), which specifies that other users have NO permissions, but any of the standard permissions can be specified.

ACL other and standard other permissions are equivalent, so using chmod on the other permissions is equivalent to using setfacl on the other permissions.

Add multiple entries via the same command, and comma-separate each of the entries:

[student@serverX ~]$ setfacl -m u::rwx,g:sodor:rX,o::- file

This will set the file owner to read, write, and execute, set the named group sodor to read-only and conditional execute, and restrict all other users to NO permissions. The group-owner will maintain their existing file or ACL permissions and other "named" entries will remain unchanged.

Using getfacl as input

The output from getfacl can be used as input to setfacl:

[student@serverX ~]$ getfacl file-A | setfacl --set-file=- file-B

--set-file accepts input from a file or stdin, and the "-" (dash) specifies the use of stdin. In this case, file-B will have the same ACL settings as file-A.

Setting an explicit ACL mask

An ACL mask can be explicitly set on a file or directory to limit the maximum effective permissions for named users, the group-owner, and named groups. This restricts any existing permissions that exceed the mask, but does nothing to permissions that are less permissive than the mask.

[student@serverX ~]$ setfacl -m m::r file

This would add a mask value that restricted any named users, the group-owner, and any named groups to read-only permission, regardless of their existing settings. The file owner and other users are not impacted by the mask setting.

getfacl will show an "effective" comment beside entries that are being restricted by a mask setting.

Recursive ACL modifications

When setting an ACL on a directory, it is common to want to apply the ACL recursively to the directory structure and files. Use the -R option to do this. The "X" (capital X) permission is often used with recursion, so that files with the execute permission set retain the setting and directories get the execute permission set to allow directory search. It is considered good practice to also use the uppercase X when non-recursively setting ACLs, as it prevents an administrator from accidentally adding execute permissions to a regular file.

[student@serverX ~]$ setfacl -R -m u:name:rX directory

This would add the user name to the directory and all existing files and subdirectories, granting read-only and conditional execute.

Deleting an ACL

Deleting specific ACL entries follows the same basic format as the modify operation, except the ":perms" should not be specified.

[student@serverX ~]$ setfacl -x u:name,g:name file

This would only remove the named user and the named group from the list of file or directory ACLs. Any other existing ACLs remain active.

It is possible to use the delete (-x) and modify (-m) operations in the same setfacl operation.

The mask can only be deleted if there are no other ACLs set (excluding the base ACLs which cannot be deleted), so it must be deleted last. The file will no longer have ACLs and ls -l will not show the "+" symbol next to the permissions string. Alternatively, to delete ALL ACLs on a file or directory (including default ACLs on directories), use:

[student@serverX ~]$ setfacl -b file

Controlling default ACL file permissions

A directory can have default ACLs set on it that are automatically inherited by all new files and new subdirectories. There can be default ACL permissions set for each of the standard ACL settings, including a default mask.

A directory still requires standard ACLs for access control because default ACLs do not implement access control for the directory; they only provide ACL permission inheritance support.

An example:

[student@serverX ~]$ setfacl -m d:u:name:rx directory

This adds a default named user (d:u:name) with read-only permission and execute permission on subdirectories.

The setfacl command for adding a default ACL for each of the ACL types is exactly the same as for standard ACLs, but prefaced with d:. Alternatively, use the -d option on the command line.

Deleting default ACLs

Deleting a default ACL is also the same as deleting a standard ACL; again, preface with d:, or use the -d option.

[student@serverX ~]$ setfacl -x d:u:name directory

This removes the default ACL that was added in the previous example.

To delete all default ACLs on a directory, use setfacl -k /directory. To delete ALL ACLs on a directory, use setfacl -b /directory.