• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

RHEL 7 – RHCSA Notes – Create and manage Access Control Lists (ACLs)

by admin

RHEL 7 – RHCSA Notes (Cheat Sheets)

The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.

How to know when a file has ACL attached to it

ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.

# ls -l
-rw-r--r-+ 1   root   root  0  Sep  19  14:41  file

Viewing ACLs

To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::

# getfacl /tmp/test
# file: test
# owner: root
# group: root
user::rw-
user:john:rw-
user:sam:rwx
group::r--
mask::rwx
other:---

In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :

# getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::r--
other::r--

Creating and Managing FACLs

The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :

# setfacl -m u:john:rw /tmp/test

The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :

# setfacl -m g:accounts:rw /tmp/test

FACLs for multiple user and groups can also be set with single command :

# setfacl -m u:john:rw,g:accounts:rwx /tmp/test

Default ACLs

By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.

To create a default FACL on a directory :

# setfacl -m default:u:john:rw /accounts

Notice the default permissions in the getfacl command :

# getfacl accounts/
# file: accounts/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:john:rw-
default:group::r-x
default:mask::rwx
default:other::r-x

Removing FACLs

To remove ACLs, use the setfacl command with -x option :

# setfacl -x u:john /tmp/test

The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :

# setfacl -b /tmp/test
You can also create a backup of ACLs using getfacl, and restore ACLs using setfacl command. To create the backup, use getfacl -R /dir > file.acls. To restore the settings from the backup file, use setfacl –restore=file.acl

Filed Under: CentOS/RHEL 7, RHCSA notes

Some more articles you might also be interested in …

  1. How to add words to the dictionary cracklib uses for validating passwords against known dictionary words
  2. Understanding /etc/xinetd.conf file in Linux
  3. /var/cache/yum Constantly Filling Files System in CentOS/RHEL
  4. Why Does “/var/log/messages” Report Martian Packets
  5. ip Command Examples to Manage Networking in Linux
  6. “passwd: Module is unknown” – error while changing the password in CentOS/RHEL 6
  7. How to troubleshoot iSCSI issues in CentOS / RHEL 6,7
  8. CentOS / RHEL 7 : How to recover from deleted root entry in /etc/shadow and/or /etc/passwd files
  9. How to backup Linux OS using “dd” Command
  10. Choosing SSSD or Winbind & Samba for Active Directory Integration in CentOS/RHEL

You May Also Like

Primary Sidebar

Recent Posts

  • What are /dev/zero and /dev/null files in Linux
  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright