50. File Permissions - Filesystem Access Control List
Contents
Although the chmod command is powerful enough, it cannot assign permissions more finely, so Linux provides some flexible commands to specify permissions for a particular user or group. Starting from Linux kernel 2.6, we can allocate more granular permissions to users or groups.
Before We Start
Before we begin, we make sure that the system we are using is based on a 2.6 or later kernel:
|
|
Get File ACL
We can use the getfacl command to get an access control list for a file.
Here are some options for getfacl command:
Option | Meaning |
---|---|
-a or ‑‑access | Output all ACLs. |
-d or ‑‑default | Output default ACLs. |
-c or ‑‑omit-header | Output ACLs without the comment header. |
-e or ‑‑all-effective | Output all effective right comments. |
-E or ‑‑no-effective | Output non effective right comments. |
-s or ‑‑skip-base | Skip all files or directories’ ACLs that only contain basic ACL entries. |
-R or ‑‑recursive | Output all the files and directories’ ACLs recursively. |
-L or ‑‑logical | Output all the files, directories and symbolic links’ ACLs recursively, so must be using with -R. |
-P or ‑‑physical | Output all the files and directories’ ACLs recursively except the symbolic links’, so must be using with -R. |
-t or ‑‑tabular | Output the file or directory’s ACL in tabular format. |
-p or ‑‑absolute-names | Keep the leading slash(/) of a path. |
-n or ‑‑numeric | Output the owner and group IDs instead of the names. |
By default, the getfacl command outputs the access control list and the default access control list:
|
|
File Access Control List
With the -a or ‑‑access parameter, we can view the file’s access control list:
|
|
File Default Access Control List
With the -d or ‑‑default parameter, we can view the file’s default access control list:
|
|
Ignore the Comment Header
With the -c or ‑‑omit-header parameter, we can view the file’s access control list without the comment header:
|
|
All Effective Rights Comments
With the -e or ‑‑all-effective parameter, we can view the file’s all effective rights comments:
|
|
No Effective Rights Comments
With the -E or ‑‑no-effective parameter, we can view the file’s non effective rights comments:
|
|
Skip Base ACL Entries
With the -s or ‑‑skip-base parameter, we can skip the file that only has base ACL entries (owner, group, others):
|
|
All Files and Directories ACLs
We prepare a directory and two files before we begin:
|
|
With the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists:
|
|
Symbolic Links in Recursion
We prepare a symbolic link:
|
|
With the -L or ‑‑logical parameter plus the -R or ‑‑recursive parameter, we can view all the files, directories and symbolic links’ access control lists:
|
|
No Symbolic Links in Recursion
With the -P or ‑‑physical parameter plus the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists but not symbolic links’:
|
|
Tabular Format
With the -t or ‑‑tabular parameter, we can view the file or directory’s access control lists side by side:
|
|
Plus the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists side by side:
|
|
Keep the Leading slash (/)
With the -p or ‑‑absolute-names parameter, we can view the file or directory’s access control lists and keep the leading slash:
|
|
User and Group IDs
With the -n or ‑‑numeric parameter, we can view the file or directory’s access control lists and its owner and group’s IDs instead of the names:
|
|
Set and Remove File ACL
We can use the getfacl command to configure the access control list for a file.
Here are some options for getfacl command:
Option | Meaning |
---|---|
‑‑set or ‑‑set-file | Replace an existing ACL of a file or directory with the specified ACL. |
-m or ‑‑modify or -M ‑‑modify-file | Change the ACL of a file or directory. Can’t be use with -x. |
-x or ‑‑remove or -X or ‑‑remove-file | Delete the ACL of a file or directory. Can’t be use with -m |
-b or ‑‑remove-all | |
-k or ‑‑remove-default | |
-n or ‑‑no-mask | |
‑‑mask | |
-d or ‑‑default | |
‑‑restore=file | Must be using individually or with ‑‑test |
‑‑test | |
-R or ‑‑recursive | |
-L or ‑‑logical | |
-P or ‑‑physical |
Set Permissions
With the -m option followed by the {(u|user)|(g|group)|(m|mask)|(o|other)}:{user|group}:{(r|4)|(w|2)|(x|1)} format, we can change a user’s permissions on the file.
Set Permission for a User
With the -m option followed by the (u|user):username:{(r|4)|(w|2)|(x|1)} format, we can change a user’s permissions on the file:
|
|
Set Permission for a Group
|
|
Set Other Permission
|
|
Set Mask Permission
|
|
Clone ACL Between Files and Directories
|
|
Set Default Permissions
|
|
Remove Extended ACLs
Remove a Specific User or Group ACL
We can remove the acl of a user or group by replacing the -m parameter with the -x parameter:
|
|
Remove All ACLs
|
|
References POSIX ACLs in Linux GETFACL(1), SETFACL(1)
Author Dong Chen
LastMod Fri Mar 22 2019