Here I will try to explain you how FACL works in Linux environment and put it into the practice.
I will skip all theory about subject just say that FACL provide more flexibility file access manager in comparison with traditional filesystem permission model.
To make it work you need to mount system with acl option. Assuming you want to make filesystem /home work with ACL, then edit your /etc/fstab. Put acl in your option section in front of /home. Like this:
/dev/hda4 /home ext3 defautls,acl 0 0
Remount your /home to make changes affected:
mount -o remount /home
Now you can work with ACL. Let’s make test directory with fully access for owner, read and execute access for group and no access for other:
$mkdir test $chmod 750 test $ls -ld test drwxr-x--- .... .
Command
getfacl
display all extended permission :
$ getfacl dir # file: test # owner: user1 # group: user1 user::rwx group::r-x other::---
There is small table which describe FACL structure. I think it will be helpful for you:
| Entry type | Text form |
|---|---|
| Owner | user::rwx |
| Named user | user:name:rwx |
| Owning group | group::rwx |
| Named group | group:name:rwx |
| Mask | mask::rwx |
| Others | other::rwx |
Now grant fully access for user2 using command
setfacl
with option
-m
(modify):
$ setfacl -m user:user2:rwx test $ getfacl --omit-header test user::rwx user:user2:rwx group::r-x mask::rwx other::---
Also you can use next syntax to set more then one entry:
$ setfacl -m user:user2:rwx,group::r-x,user::rwx test
or
$ setfacl -m u:user2:rwx,g::r-x,u::rwx test
make ls -ld again and you will see symbol “+” in the ending of the first field :
$ls -ld test rwxr-x---+ ...
This symbol is pointing out file or directory with has extended file permission.
Now, try to change group permission over the chmod:
$chmod g+w test $getfacl --omit-header test user::rwx user:user2:rwx group::r-x mask::rwx other::---
As shown, in extended permission is nothing changed. That means the chmod has no influence on facl. Also facl has more priority then basic permission model. We can easily see that in next example:
# usermod -g user1 user3 user1$ chmod g+w test user3$ echo > ~user1/test/file1 -bash: /home/user1/test/file1: Permission denied user1$ setfacl -m group::rwx test user3$ echo > ~user1/test/file1 user1$ ls -l test/file1 -rw-r--r-- 1 user3 user1 0 .......
If you want to restrict some access for someone. For example try to delete write access for group: There is at least two ways for this:
$ setfacl -m group::rx test
OR
$ setfacl -m group::r-x test
Also we can set default permissions for the directory. This means that all created objects in this directory will inherit permissions of top level object.
$ touch test/file $ getfacl --omit-header test/file user::rw- group::rw- other::r-- $ setfacl -d -m user:user2:r-x test $ getfacl --omit-header test user::rwx user:user2:rwx group::-w- mask::rwx other::--- default:user::rwx default:user:user2:r-x default:group::r-x default:mask::rwx default:other::--- $ rm test/file ; touch test/file $ getfacl --omit-header test/file user::rw- user:user2:r-x group::-w- mask::rw- other::---
To delete default permission involve “-k” option. Like this:
$ setfacl -k test $ $ getfacl --omit-header test user::rwx user:user2:rwx group::-w- mask::rwx other::---
More information you can get from this document or from manual documents.
