Traditional Linux access permissions for files and directories consist of setting a combination of read, write, and execute permissions for the owner of the file or directory, a member of the group the file or directory is associated with, and everyone else (other). Access control lists (ACLs) provide a finer-grained access control mechanism than these traditional Linux access permissions.

 

Installing ACL

 

Before using ACLs for a file or directory, install the acl package:

# yum install acl

 

Configuring ACL on a file system

 

The file system containing the file or directory must also be mounted with ACL support. The following is the syntax to mount a local ext3 file system with ACL support:

# mount -t ext3 -o acl [device-name] [mount-point]

 

For example:

# mount -t ext3 -o acl /dev/mapper/VolGroup00-LogVol00 /data

 

If the partition is listed in the /etc/fstab file, include the acl option:

# vi /etc/fstab
LABEL=/data    /data    ext3    acl     0    0

 

ACL Rules

 

An ACL consists of a set of rules that specify how a user or group can access the file or directory the ACL is associated with. There are two types of ACL rules:

  • access ACLs: Specify access information for a single file or directory
  • default ACLs: Pertain to a directory only. It specifies default access information for any file within the directory that does not have an access ACL.

 

Display ACLs on files

 

Use the getfacl utility to display a file’s ACL. When a file does not have an ACL, it displays the same information as ‘ls –l’, although in a different format. For example, the file test does not have an ACL:

# ls –l test
-rw-rw-r-- 1 oracle oracle 25 Mar 5 10:10 test

 

Sample getfacl output of the test file:

# getfacl test 
# file: test
# owner: oracle 
# group: oracle 
user::rw- 
group::rw- 
other::r--

 

Configuring ACLs on Files

 

Use the setfacl utility to add or modify one or more rules in a file’s ACL. The syntax is:

 

# setfacl -m [rules] [files]

The rules are in the following form:

 

  • u:name:permissions: Sets the access ACL for a user (username or UID)
  • g:name:permissions: Sets the access ACL for the group (group name or GID)
  • m:permissions: Sets the effective rights mask. This is the union of all permissions of the owning group and all of the user and group entries.
  • o:permissions: Sets the access ACL for everyone else (others)

 

The permissions are the traditional r, w, and x for read, write, and execute, respectively. The following example adds a rule to the ACL for the test file that gives the oracle user read and write permission to that file:

# yum install acl

 

The output of getfacl includes the ACL rule:

# yum install acl

 

When a file has an ACL, ‘ls –l’ displays a plus sign (+) following the permissions:

# yum install acl

 

Removing ACLs of Files

 

Use the –x option without specifying any permissions to remove rules for a user or group.

# setfacl –x u:oracle test

 

To remove the ACL itself, use the -b option:

# setfacl –b test

 

Setting the Default ACLs

 

To set a default ACL, add d: before the rule and specify a directory instead of a file name:

# setfacl -m d:o:rx /share

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)