Traditional Linux access permissions for files and directories consist of setting a combination of read, write, and execute permissions for the owner of the file or directory, a member of the group the file or directory is associated with, and everyone else (other). Access control lists (ACLs) provide a finer-grained access control mechanism than these traditional Linux access permissions.
Installing ACL
Before using ACLs for a file or directory, install the acl package:
# yum install acl
Configuring ACL on a file system
The file system containing the file or directory must also be mounted with ACL support. The following is the syntax to mount a local ext3 file system with ACL support:
# mount -t ext3 -o acl [device-name] [mount-point]
For example:
# mount -t ext3 -o acl /dev/mapper/VolGroup00-LogVol00 /data
If the partition is listed in the /etc/fstab file, include the acl option:
# vi /etc/fstab LABEL=/data /data ext3 acl 0 0
ACL Rules
An ACL consists of a set of rules that specify how a user or group can access the file or directory the ACL is associated with. There are two types of ACL rules:
- access ACLs: Specify access information for a single file or directory
- default ACLs: Pertain to a directory only. It specifies default access information for any file within the directory that does not have an access ACL.
Display ACLs on files
Use the getfacl utility to display a file’s ACL. When a file does not have an ACL, it displays the same information as ‘ls –l’, although in a different format. For example, the file test does not have an ACL:
# ls –l test -rw-rw-r-- 1 oracle oracle 25 Mar 5 10:10 test
Sample getfacl output of the test file:
# getfacl test # file: test # owner: oracle # group: oracle user::rw- group::rw- other::r--
Configuring ACLs on Files
Use the setfacl utility to add or modify one or more rules in a file’s ACL. The syntax is:
# setfacl -m [rules] [files]
The rules are in the following form:
- u:name:permissions: Sets the access ACL for a user (username or UID)
- g:name:permissions: Sets the access ACL for the group (group name or GID)
- m:permissions: Sets the effective rights mask. This is the union of all permissions of the owning group and all of the user and group entries.
- o:permissions: Sets the access ACL for everyone else (others)
The permissions are the traditional r, w, and x for read, write, and execute, respectively. The following example adds a rule to the ACL for the test file that gives the oracle user read and write permission to that file:
# setfacl -m u:oracle:rwx test
The output of getfacl includes the ACL rule:
# getfacl test # file: test # owner: oracle # group: oracle user::rw- user:oracle:rwx group::rw- mask::rwx other::r--
When a file has an ACL, ‘ls –l’ displays a plus sign (+) following the permissions:
# ls –l test -rw-rwxr--+ 1 oracle oracle 25 Mar 5 10:10 test
Removing ACLs of Files
Use the –x option without specifying any permissions to remove rules for a user or group.
# setfacl –x u:oracle test
To remove the ACL itself, use the -b option:
# setfacl –b test
Setting the Default ACLs
To set a default ACL, add d: before the rule and specify a directory instead of a file name:
# setfacl -m d:o:rx /share