Table of Contents
Red Hat ACL or Extended Permissions
The filesystems ext2/3/4 also support more complex file permissions called ACLs. I will not cover that deeply, just enough to get you going.
Enabling ACLs
If you want to use ACLs you should mount the filesystem with an extra option. The installer enables all ext4 filesystems that are created during the installation with this option, so newly created filesystems miss this option. The option is called acl
.
You can use the tune2fs command to set the default mount options:
tune2fs -o acl,user_xattr /dev/vgsrv/home
Or remove it from the default options:
tune2fs -o ^acl /dev/vgsrv/home
See ACL
You can recognize there are ACLs on a file with ls
. The last character of the permissions command will be shown as a +
.
You can use getfacl to see the ACL:
[root@localhost ~]# ls -l /permissions/ total 4 -rw-rw-r--+ 1 root root 0 Apr 12 12:28 file1 [root@localhost ~]# getfacl /permissions/file1 getfacl: Removing leading '/' from absolute path names # file: permissions/file1 # owner: root # group: root user::rw- group::r-- group:sjoerdhooft:rw- mask::rw- other::r--
Note that user:: group:: and other:: refer to the original user,group and other permissions of the file.
Set ACL
You can set an ACL using setfacl
,
This is how I've added the private group of user sjoerdhooft to file1 as displayed above:
setfacl -m g:sjoerdhooft:rw /permissions/file1
This is an example to add an ACL for a user:
setfacl -m -u:sjoerdhooft:rw /permissions/file1
This is an example to remove the ACL permissions:
setfacl -x -u:sjoerdhooft /permissions/file1
This is an example to change(remove) the normal other permissions:
setfacl -m -o::- /permissions/file1
Set Default ACLs
You can also set a default ACL so all newly created files in a directory receive the permission you set (add d:
for default to the command):
setfacl -m d:u:sjoerdhooft:rw /permissions
And if you also want all existing files in the directory to receive the permissions, including files in subdirectories set the recursive option as well:
setfacl -m d:g:sjoerdhooft:rw -R /permissions
Resources
If you want more information see:
[root@localhost ~]# man -k acl acl (5) - Access Control Lists chacl (1) - change the access control list of a file or directory getfacl (1) - get file access control lists .k5login [k5login] (5) - Kerberos V5 acl file for host access setfacl (1) - set file access control lists