Red Hat Enterprise Linux 7 Implementation

File System Permissions

Module Topics

File/Directory Permissions
Ownership
Special Permissions
Default File Permissions
POSIX ACL Concepts
File System Mount Option
ACL Permissions
File ACLs
Directory ACLs
ACL Mask
ACL Permission Precedence
ACL File Permissions
getfacl as Input
Explicit ACL Mask
Recursive ACL Modifications
ACL Deletion
Default ACL Permissions

File/Directory Permissions

To change permissions from command line, use chmod
- Short for change mode
- Permissions are also called mode of a file
chmod takes permission instruction followed by list of files or directories to change
Permission instruction: Symbolic or numeric

File/Directory Permissions

Symbolic Method

chmod WhoWhatWhich file|directory

Letters represent permission groups:
- Who: u (user), g (group), o (other), a (all)
Change existing permission set or add new set:
- What: + (add), - (remove), = (set exactly)
Letters represent actual permissions:
- Which: r (read), w (write), x (execute)

File/Directory Permissions

Numeric Method

chmod ### file|directory

Permissions represented by three-digit octal number
- Four digits for advanced permissions
Each digit represents an access level: user, group, other
Each digit equals sum of permissions: read (r)=4, write (w)=2, execute (x)=1

Transcript:

chmod ### file|directory

Each digit represents an access level:user, group, other.
# is sum of r=4, w=2, and x=1.

Using the numeric method, permissions are represented by a three-digit (or four, when setting advanced permissions) octal number. A single octal digit can represent the numbers 0-7, exactly the number of possibilities for a three-bit number.

To convert between symbolic and numeric representation of permissions, we need to know how the mapping is done. In the three-digit octal (numeric) representation, each digit stands for one group of permissions, from left to right:user, group, and other. In each of these groups, start with 0. If the read permission is present, add 4. Add 2 if write is present, and 1 for execute.

Numeric permissions are often used by advanced administrators since they are shorter to type and pronounce, while still giving full control over all permissions.

File/Directory Permissions

Table 1. Permissions Example: `-rwxr-x---`
Term	Value	Equals
User	`rwx`	`4+2+1=7`
Group	`r-x`	`4+0+1=5`
Other	`---`	`0`

Table 2. Permissions Example: `640`
Term	Value	Equals	Displays As
User	`6`	read (4), write (2)	`rw-`
Group	`4`	read (4)	`r--`
Other	`0`	no permissions	`---`

File/Directory Permissions

Permissions Command Examples

To remove read and write permission for group and other on file1:
```
[student@desktop1$ chmod go-rw file1
```
To add execute permission for everyone on file2:
```
[student@desktop1$ chmod a+x file2
```
To set read, write, and execute permission for user; read and execute for group; and no permission for other, on sampledir:
```
[student@desktop1$ chmod 750 sampledir
```

File/Directory Permissions

-R Option

Use to recursively set permissions on entire directory tree
Use X permissions (not x)
- Indicates setting permissions on directories, not files
- Example: Set read and write access on demodir and children for group owner
  [student@desktop1# chmod -R g+rwX demodir

Ownership

User who creates file is owner of file
Owner’s primary group has group ownership of file
- Often owner is only member of group
May need to change owner or group to grant access to file

Ownership

Change File Ownership

To change owner, use chown
- Example: Change owner of file foofile to student
  [root@desktop1 ~]# chown student foofile
To recursively change ownership of entire directory tree, use chown with -R option
- Example: Grant ownership of foodir and all files and subdirectories to student
  [root@desktop1 ~]# chown -R student foodir

Ownership

Change Group Ownership

To change group ownership of file, use chown
Precede group name with :
- Example: Change group foodir to admins
  [root@desktop1 ~]# chown :admins foodir

Ownership

Change Both File and Group Ownership

To change owner and group at same time, use chown
Use syntax owner:group
- Example: Change owner of foodir to visitor and group to guests
  [root@desktop1 ~]# chown visitor:guests foodir
Only root can change file ownership
root or file owner can set group ownership
- root can grant ownership to any group
- Non-root can grant ownership to groups to which they belong

Ownership

Use chgrp

To change group ownership, can use chgrp
Works same as chown, including use of -R

References

Man pages: ls(1), chmod(1), chown(1), and chgrp(1)

Special Permissions

setuid Permissions

Runs command as user or group of file, not user that ran command

Example: passwd command

[student@desktop1$ ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 35504 Jul 16  2010 /usr/bin/passwd

setuid permissions use s in place of x
- If no owner execute permissions, S replaces x

Special Permissions

sticky Permissions

Sets restriction on deletion of files
- Only file owner and root can delete files in directory
- Example: /tmp
  [student@desktop1$ ls -ld /tmp drwxrwxrwt. 39 root root 4096 Feb 8 20:2 /tmp
sticky permissions use t in place of x
- If no owner execute permissions, T replaces x

Special Permissions

setgid Permissions

Indicates files in directory inherit group affiliation from directory, not from creating user
Used on group collaborative directories to change file from default private group to shared group
Can spot setgid permissions by s in place of x
- If no group execute permissions, S replaces x

Special Permissions

Special Permission

Effect on Files

Effect on Directories

u+s (setuid)

File executes as user that owns file, not user that ran file

No effect

g+s (setgid)

File executes as group that owns file

Group owner of newly created files in directory is same group owner as directory

o+t (sticky)

No effect

Users with write permissions on directory can remove files they own; they cannot remove or force saves to files owned by other users

Special Permissions

Setting Special Permissions

Symbolically
- setuid = u+s
- setgid = g+s
- sticky = o+t
  - Example: Add setgid on directory
    [root@desktop1 ~]# chmod g+s directory
Numerically (fourth preceding digit)
- setuid = 4
- setgid = 2
- sticky = 1
  - Example: Set setgid, read/write/execute for user and group on directory
    [root@desktop1 ~]# chmod 2770 directory

Default File Permissions

Default file permissions set by processes that create them
- Example: Text editors create files that are readable and writeable, but not executable
mkdir creates directories with all permissions set: read, write, execute
- Permissions typically not set when creating files and directories
- Some permissions cleared by umask of shell process
umask without arguments displays current value of shell’s umask:
```
[student@desktop1$ umask
0002
```

Default File Permissions

umask

umask - Octal bitmask used to clear permissions of files and directories that process creates
If bit is set in umask, corresponding permission is cleared in files
- Example: umask 0002 clears write bit for other users
  - Leading zeros indicate special, user, and group permissions not cleared
- umask 077 clears all group and other permissions of newly created files
umask with single numeric argument changes umask of current shell
- Numeric argument indicates new umask value
- If fewer than three digits, leading zeros assumed
Default umask values for Bash shell users defined in /etc/profile and /etc/bashrc
Can override system defaults in .bash_profile and .bashrc

Transcript:

Every process on the system has a umask, which is an octal bitmask that is used to clear the permissions of new files and directories that are created by the process. If a bit is set in the umask, then the corresponding permission is cleared in new files. For example, the previous umask, 0002, clears the write bit for other users. The leading zeros indicate the special, user, and group permissions are not cleared. A umask of 077 clears all the group and other permissions of newly created files.

Use the umask command with a single numeric argument to change the umask of the current shell. The numeric argument should be an octal value corresponding to the new umask value. If it is less than 3 digits, leading zeros are assumed.

The system default umask values for Bash shell users are defined in the /etc/profile and /etc/bashrc files. Users can override the system defaults in their .bash_profile and .bashrc files.

The following steps demonstrate the effects of umask on new files and directories.

Default File Permissions

Step 1: Create new file and directory

Observe how default umask affects permissions

[student@desktop1$ touch newfile1
[student@desktop1$ ls -l newfile1
-rw-rw-r--. 1 STU STU 0 May  9 01:4 newfile1
[student@desktop1$ mkdir newdir1
[student@desktop1$ ls -ld newdir1
drwxrwxr-x. 2 STU STU 0 May  9 01:4 newdir1

Default File Permissions

Step 2: Set umask value to 0 and create new file and directory

umask 0 does not mask any permissions of new files

Observe how new umask affects permissions

[student@desktop1$ umask 0
[student@desktop1$ touch newfile2
[student@desktop1$ ls -l newfile2
-rw-rw-rw-. 1 STU STU 0 May  9 01:4 newfile2
[student@desktop1$ mkdir newdir2
[student@desktop1$ ls -ld newdir2
drwxrwxrwx. 2 STU STU 0 May  9 01:4 newdir2

Default File Permissions

Step 3: Set umask value to 007

Masks all other permissions of new files

[student@desktop1$ umask 007
[student@desktop1$ touch newfile3
[student@desktop1$ ls -l newfile3
-rw-rw----. 1 STU STU 0 May  9 01:5 newfile3
[student@desktop1$ mkdir newdir3
[student@desktop1$ ls -ld newdir3
drwxrwx---. 2 STU STU 0 May  9 01:4 newdir3

Default File Permissions

Step 4: Set umask value to 027

Masks write access for group members and all other permissions of new files

[student@desktop1$ umask 027
[student@desktop1$ touch newfile4
[student@desktop1$ ls -l newfile4
-rw-r-----. 1 STU STU 0 May  9 01:5 newfile4
[student@desktop1$ mkdir newdir4
[student@desktop1$ ls -ld newdir4
drwxr-x---. 2 STU STU 0 May  9 01:4 newdir4

Default File Permissions

Step 5: Log in as root to change default umask for unprivileged users

Prohibit all access for users not in their group
Modify /etc/bashrc and /etc/profile to change default umask for Bash shell users
Default umask for unprivileged users is 0002

Locate 0002 values and set umask to 007 for unprivileged users

[root@desktop1 ~]# less /etc/bashrc
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 002
    else
       umask 022
    fi

    # Only display echos from profile.d scripts if we are no login shell
[root@desktop1 ~]# vim /etc/bashrc
[root@desktop1 ~]# less /etc/bashrc
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 007
    else
       umask 022
    fi

    # Only display echos from profile.d scripts if we are no login shell
[root@desktop1 ~]# less /etc/profile
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
    else
        umask 022
    fi

    for i in /etc/profile.d/*.sh ; do
[root@desktop1 ~]# vim /etc/profile
[root@desktop1 ~]# less /etc/profile
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 007
    else
        umask 022
    fi

    for i in /etc/profile.d/*.sh ; do

Default File Permissions

Step 6: Log back in as student

Confirm that umask changes are persistent
```
[student@desktop1$ umask
0007
```
Other shells may have different system default initialization files

References

Man pages: bash(1), ls(1), chmod(1), and umask(1)

POSIX ACL Concepts

Access Control Lists (ACLs): Provide fine-grained access control to files and directories
Can grant permissions to:
- Named users or named groups
- Users and groups identified by a UID or GUID
- File owner, group owner, other
Same r, w, x permission flags
File owner can set ACLs on files or directories
New files and subdirectories can inherit ACL settings from parent default ACLs
Parent hierarchy needs other execute permission to give access to named users and named groups

Transcript:

Standard Linux file permissions are satisfactory for most situations, but they have limitations. Permissions restricting access to a file are limited to the file owner, membership of a single group, or everyone else. It may not be appropriate for the process (a running program) to be a member of the file’s owning group, and even less desirable to grant permission to everyone.

ACLs allow fine-grained permissions to be allocated to a file. Named users or named groups, as well as users and groups identified by a UID or GUID, can be granted permissions, in addition to the standard file owner, group-owner, and other file permissions. The same permission flags apply: r - read, w - write, and x - execute (on files, search for directories).

The file owner can set ACLs on individual files or directories. New files and subdirectories can automatically inherit ACL settings from the parent directory default ACLs, if they are set. Similar to normal file access rules, the parent directory hierarchy will need at least the other execute permission set to enable named users and named groups to have access.

File System Mount Option

Need to mount file system with ACL support enabled
XFS® file systems have built-in ACL support
Ext4 file systems in Red Hat Enterprise Linux 7 have acl enabled

Ext4 file systems created after installation in earlier versions of Red Hat Enterprise Linux may need the acl option included with the mount request, or set in the superblock.

ACL Permissions

ls -l outputs minimal ACL setting details:

[student@server1 steamies]$ ls -l roster.txt
-rwxrw----+ 1 student controller 130 Mar 19 23:6 roster.txt

+ indicates ACL settings associated with this file
user: Shows user ACL settings
- Same as standard user file settings: rwx
group: Shows ACL mask settings
- Not group owner settings: rw
other: Shows other ACL settings
- Same as standard other file settings: no access
Using chmod to change group permissions on file with ACL does not change group owner permissions, but does change ACL mask
- To change file’s group owner permissions:
  setfacl -m g::perms file

File ACLs

To display ACL settings on a file, use getfacl file :

[student@server1 steamies]$ getfacl roster.txt
# file:roster.txt
# owner:student
# group:controller
user:rwx
user:ames:---
user:005:rwx       #effective:rw-
group:rwx          #effective:rw-
group:odor:r--
group:210:rwx      #effective:rw-
mask:rw-
other:---

The next few slides discuss each section of this example in detail.

File ACLs

Opening Comment Entries

# file:roster.txt
# owner:student
# group:controller

User Entries

user:rwx (1)
user:ames:--- (2)
user:005:rwx       #effective:rw- (3)

File ACLs

Group Entries

group:rwx          #effective:rw- (1)
group:odor:r-- (2)
group:210:rwx      #effective:rw-  (3)

Mask Entry

mask:rw-

Other Entry

other:---

Directory ACLs

To display ACL settings on a directory, use getfacl /directory:

[student@server1 steamies]$ getfacl .
# file:.
# owner:student
# group:controller
# flags:-s-
user:rwx
user:ames:---
user:005:rwx
group:rwx
group:odor:r-x
group:210:rwx
mask:rwx
other:---
default:ser::rwx
default:ser:james:---
default:roup::rwx
default:roup:sodor:r-x
default:ask::rwx
default:ther::---

The next few slides discuss each section of this example in detail.

Directory ACLs

Opening Comment Entries

# file:.
# owner:student
# group:controller
# flags:-s-

Standard ACL Entries

user:rwx
user:ames:---
user:005:rwx
group:rwx
group:odor:r-x
group:210:rwx
mask:rwx
other:---

Directory ACLs

Default User Entries

default:ser::rwx   (1)
default:ser:james:---  (2)

Default Group Entries

default:roup::rwx     (1)
default:roup:sodor:r-x   (2)

Directory ACLs

Default ACL Mask Entry

default:ask::rwx

Default Other Entry

default:ther::---

Default entries do not include named user or named group
- Initial ACL entries not added automatically to new files or subdirectories
- Limits entries to files and subdirectories on which they already have ACLs, or if owner adds ACL using setfacl
- Can still create files and subdirectories
Can use output from getfacl as input to setfacl

Transcript:

Default ACL mask entry:

Default mask settings show the initial maximum permissions possible for all new files or directories created that have named user ACLs, the group-owner ACL, or named group ACLs:read and write for new files and execute permission on new subdirectories, new files never get execute permission.

Default other entry:

Default other or "world" permissions. All other UIDs and GIDs have NO permissions to new files or new subdirectories.

The default entries in the previous example do not include the named user (UID 1005) and named group (GID 2210); consequently, they will not automatically get initial ACL entries added for them to any new files or new subdirectories. This effectively limits them to files and subdirectories that they already have ACLs on, or if the relevant file owner adds the ACL later using setfacl. They can still create their own files and subdirectories.

The output from getfacl can be used as input to setfacl. Use getfacl -R /directory to generate output for the directory and its content. This output can be saved and used for recovery by passing the output to setfacl --set-file=file to do a mass update.

ACL Mask

ACL mask: Defines maximum permissions granted to named users, group owner, named groups
Does not restrict permissions of file owner or other users
All files and directories that implement ACLs have ACL mask
To view mask, use getfacl
To set mask, use setfacl
Mask automatically calculated and added if not set
- Can inherit from parent default mask setting
When you add, modify, or delete affected ACL, mask recalculates by default

ACL Permission Precedence

Process running as user that owns file: File’s user ACL permissions apply
Process running as user listed in named user ACL entry: Named user ACL permissions apply (if mask permits)
Process running as group that matches group owner of file, or as group with explicit named group ACL entry: Matching ACL permissions apply (if mask permits)
Otherwise: File’s other ACL permissions apply

References

Man pages: acl(5), getfacl(1), ls(1)

ACL File Permissions

To add, modify, or remove standard ACLs, use setfacl
ACLs use normal r, w, x, - representation for permissions
X indicates:
- Set execute permission on directories, not files
- Unless file already has relevant execute permission
- Same behavior as chmod

ACL File Permissions

Use setfacl to add, modify, remove standard ACLs
ACLs use normal r, w, x, - representation for permissions
X indicates:
- Set execute permission on directories, not files
- Unless file already has relevant execute permission
- Same behavior as chmod

ACL File Permissions

Add or Modify an ACL

Options for adding or replacing ACLs:
- Set via command line using -m
- Pass in via file using -M
  - Use - instead of file name for stdin
Other ACL entries on file or directory remain untouched
Use --set or --set-file to completely replace ACL settings on file
If ACL add does not include file owner, group owner, or other permissions:
- System uses base ACLs (current standard file permissions)
  - Base ACLS cannot be deleted
- System calculates and adds new mask value

ACL File Permissions

Add or Modify a User or Named User ACL

[student@server1 ~]$ setfacl -m u:name:rX file

If name left blank, applies to file owner
Otherwise name can be username or UID value
ACL and standard file owner permissions are equivalent
- Using chmod or setfacl on file owner permissions is equivalent
- chmod does not effect named users

ACL File Permissions

Add or Modify a Group or Named Group ACL

[student@server1 ~]$ setfacl -m g:ame:rw file

If name left blank, applies to group owner
Otherwise name can be group name or GID value for named group
chmod does not effect group permissions for files with ACL settings
- Updates ACL mask

ACL File Permissions

Add or Modify the Other ACL

[student@server1 ~]$ setfacl -m o::- file

Other accepts permission settings only
- Commonly set to -
- Can specify any standard permission
ACL and standard other permissions are equivalent
- Using chmod or setfacl on other permissions is equivalent

ACL File Permissions

Add Multiple Entries

Can add multiple entries in same command

Comma-separate each entry:

[student@server1 ~]$ setfacl -m u:rwx,g:sodor:rX,o::- file

In this example:
- File owner: Read, write, execute
- Named group sodor: Read-only and conditional execute
- All other users: No permissions
- Group owner: Maintains existing file or ACL permissions
- Other named entries: Unchanged

`getfacl` as Input

Can use output from getfacl as input to setfacl:
```
[student@server1 ~]$ getfacl file-A | setfacl --set-file=- file-B
```
- --set-file accepts input from file or stdin
- - specifies use of stdin
- file-B has same ACL settings as file-A

Explicit ACL Mask

Can explicitly set ACL mask on file or directory
Limits maximum permissions for named users, group owner, and named groups
Restricts permissions that exceed mask
No impact on permissions less permissive than mask
```
[student@server1 ~]$ setfacl -m m:r file
```
- Adds mask value that restricts named users, group owner, and named groups to read-only permission
- No impact to file owner and other users
getfacl displays effective comment beside entries restricted by mask setting
By default, ACL mask recalculates each time ACL is modified or deleted
- Potentially resets previous explicit mask setting
- To avoid recalculation, use -n or include mask setting (-m m::perms) with setfacl that modifies mask-affected ACL

Transcript:

An ACL mask can be explicitly set on a file or directory to limit the maximum effective permissions for named users, the group-owner, and named groups. This restricts any existing permissions that exceed the mask, but does nothing to permissions that are less permissive than the mask.

This would add a mask value that restricted any named users, the group-owner, and any named groups to read-only permission, regardless of their existing settings. The file owner and other users are not impacted by the mask setting.

getfacl will show an "effective" comment beside entries that are being restricted by a mask setting.

By default, the ACL mask is recalculated each time one of the impacted ACL settings (named users, group-owner, or named groups) is modified or deleted, potentially resetting a previous explicit mask setting.

To avoid the mask recalculation, use -n or include a mask setting (-m m::perms) with any setfacl operation that modifies mask-affected ACL settings.

Recursive ACL Modifications

To apply ACL recursively to directory structure and files, use -R
Can use X with recursion
- Files with execute permission retain setting
- Sets execute permissions for directories to allow directory search
Recommended: Use X when non-recursively setting ACLs
- Prevents administrator from accidentally adding execute permissions to regular file
  [student@server1 ~]$ setfacl -R -m u:ame:rX directory
- Adds username to directory, existing files, and subdirectories
- Grants read-only and conditional execute

ACL Deletion

Deletion is same as modify, but do not specify :perms
```
[student@server1 ~]$ setfacl -x u:name,g:name file
```
- Removes named user and named group from list of file or directory ACLs
- Other ACLs remain active
Can use delete (-x) and modify (-m) in same setfacl
Can delete mask only if no other ACLs set
- Base ACLs cannot be deleted
- Must delete mask last
File no longer has ACLs
ls -l does not show + next to permissions string
To delete all ACLs on file or directory (including default ACLs on directories):
```
[student@server1 ~]$ setfacl -b file
```

Default ACL Permissions

Can set default ACLs on directory
- New files and subdirectories automatically inherit
Can set default ACL permissions for each standard ACL settings, including default mask
Directory still requires standard ACLs for access control
- Default ACLs do not implement access control for directory
- Only provide ACL permission inheritance support
  [student@server1 ~]$ setfacl -m d:u:name:rx directory
  - Adds default named user (d:u:name) with read-only permission and execute permission on subdirectories

Default ACL Permissions

Using setfacl

Same as for standard ACLs
- Preface with d: or use -d option
When setting default ACLs on directory, include execute permission
- Ensures users can access contents of new subdirectories created in directory
- Users do not automatically get execute permission set on newly created regular files
  - ACL mask of a new regular file is rw-
New files and subdirectories get owner UID and primary group GID values set from creating user
- Exception: When parent directory setgid is enabled, primary group GID is same as parent directory GID

Transcript:

The setfacl command for adding a default ACL for each of the ACL types is exactly the same as for standard ACLs, but prefaced with d:. Alternatively, use the -d option on the command line.

When setting default ACLs on a directory, ensure that users will be able to access the contents of new subdirectories created in it by including the execute permission on the default ACL.

Users will not automatically get the execute permission set on newly created regular files because unlike new directories, the ACL mask of a new regular file is rw-.

New files and new subdirectories continue to get their owner UID and primary group GID values set from the creating user, except when the parent directory setgid flag is enabled, in which case the primary group GID will be the same as the parent directory GID.

Default ACL Permissions

Deleting Default ACLs

Same as deleting standard ACL
- Preface with d: or use -d option
  [student@server1 ~]$ setfacl -x d:u:name directory
- Removes default ACL added previously
To delete all default ACLs on directory, use setfacl -k /directory
To delete all ACLs on directory, use setfacl -b /directory

References

Man pages: acl(5), setfacl(1)

Summary

File/Directory Permissions
Ownership
Special Permissions
Default File Permissions
POSIX ACL Concepts
File System Mount Option
ACL Permissions
File ACLs
Directory ACLs
ACL Mask
ACL Permission Precedence
ACL File Permissions
getfacl as Input
Explicit ACL Mask
Recursive ACL Modifications
ACL Deletion
Default ACL Permissions

Module Completion

Nice job!

Click the button below to complete this module of the course:

Red Hat Enterprise Linux 7 Implementation

File System Permissions

Module Topics

File/Directory Permissions

File/Directory Permissions

File/Directory Permissions

File/Directory Permissions

File/Directory Permissions

File/Directory Permissions

Ownership

Ownership

Ownership

Ownership

Ownership

Special Permissions

Special Permissions

Special Permissions

Special Permissions

Special Permissions

Default File Permissions

Default File Permissions

Default File Permissions

Default File Permissions

Default File Permissions

Default File Permissions

Default File Permissions

Default File Permissions

POSIX ACL Concepts

File System Mount Option

ACL Permissions

File ACLs

File ACLs

File ACLs

Directory ACLs

Directory ACLs

Directory ACLs

Directory ACLs

ACL Mask

ACL Permission Precedence

ACL File Permissions

ACL File Permissions

ACL File Permissions

ACL File Permissions

ACL File Permissions

ACL File Permissions

ACL File Permissions

getfacl as Input

Explicit ACL Mask

Recursive ACL Modifications

ACL Deletion

Default ACL Permissions

Default ACL Permissions

Default ACL Permissions

Summary

Module Completion

`getfacl` as Input