Technical Diary » facl http://andriigrytsenko.net With Andrii Grytsenko Tue, 17 Aug 2010 08:25:33 +0000 en hourly 1 File ACL Mini-HOWTO http://andriigrytsenko.net/2009/07/file-acl-mini-howto/ http://andriigrytsenko.net/2009/07/file-acl-mini-howto/#comments Sun, 12 Jul 2009 10:14:22 +0000 admin http://andriigrytsenko.net/?p=253 Here I will try to explain you how FACL works in Linux environment and put it into the practice.

I will skip all theory about subject just say that FACL provide more flexibility file access manager in comparison with traditional filesystem permission model.

To make it work you need to mount system with acl option. Assuming you want to make filesystem /home work with ACL, then edit your /etc/fstab. Put acl in your option section in front of /home. Like this:

/dev/hda4  /home  ext3 defautls,acl 0 0

Remount your /home to make changes affected:

mount -o remount /home

Now you can work with ACL. Let’s make test directory with fully access for owner, read and execute access for group and no access for other: 

$mkdir test
$chmod 750 test
$ls -ld test
drwxr-x--- .... .

Command 

getfacl

display all extended permission : 

$ getfacl dir
# file: test
# owner: user1
# group: user1
user::rwx
group::r-x
other::---

There is small table which describe FACL structure. I think it will be helpful for you:

Entry type Text form
Owner user::rwx
Named user user:name:rwx
Owning group group::rwx
Named group group:name:rwx
Mask mask::rwx
Others other::rwx

Now grant fully access for user2 using command 

setfacl

with option 

-m

(modify):

$ setfacl -m user:user2:rwx test
$ getfacl --omit-header test
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::---

Also you can use next syntax to set more then one entry:

$ setfacl -m user:user2:rwx,group::r-x,user::rwx test

or 

$ setfacl -m u:user2:rwx,g::r-x,u::rwx test

make ls -ld again and you will see symbol “+” in the ending of the first field : 

$ls -ld test
rwxr-x---+ ...

This symbol is pointing out file or directory with has extended file permission.

Now, try to change group permission over the chmod: 

$chmod g+w test
$getfacl --omit-header test
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::---

As shown, in extended permission is nothing changed. That means the chmod has no influence on facl. Also facl has more priority then basic permission model. We can easily see that in next example: 

# usermod -g user1 user3
user1$ chmod g+w test
user3$ echo > ~user1/test/file1
-bash: /home/user1/test/file1: Permission denied
user1$ setfacl -m group::rwx test
user3$ echo > ~user1/test/file1
user1$ ls -l test/file1
-rw-r--r-- 1 user3 user1 0 .......

If you want to restrict some access for someone. For example try to delete write access for group: There is at least two ways for this: 

$ setfacl -m group::rx test

OR 

$ setfacl -m group::r-x test

Also we can set default permissions for the directory. This means that all created objects in this directory will inherit permissions of top level object. 

$ touch test/file
$ getfacl --omit-header test/file
user::rw-
group::rw-
other::r--
$ setfacl -d -m user:user2:r-x test
$ getfacl --omit-header test
user::rwx
user:user2:rwx
group::-w-
mask::rwx
other::---
default:user::rwx
default:user:user2:r-x
default:group::r-x
default:mask::rwx
default:other::---
$ rm test/file ; touch test/file
$ getfacl --omit-header test/file
user::rw-
user:user2:r-x
group::-w-
mask::rw-
other::---

To delete default permission involve “-k” option. Like this:

$ setfacl -k test
$ $ getfacl --omit-header test
user::rwx
user:user2:rwx
group::-w-
mask::rwx
other::---

More information you can get from this document or from manual documents.

]]> http://andriigrytsenko.net/2009/07/file-acl-mini-howto/feed/ 0