SHIFT-WIKI

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


redhatacl

Red Hat ACL or Extended Permissions

The filesystems ext2/3/4 also support more complex file permissions called ACLs. I will not cover that deeply, just enough to get you going.

Enabling ACLs

If you want to use ACLs you should mount the filesystem with an extra option. The installer enables all ext4 filesystems that are created during the installation with this option, so newly created filesystems miss this option. The option is called acl.

You can use the tune2fs command to set the default mount options:

tune2fs -o acl,user_xattr /dev/vgsrv/home

Or remove it from the default options:

tune2fs -o ^acl /dev/vgsrv/home

See ACL

You can recognize there are ACLs on a file with ls. The last character of the permissions command will be shown as a +.

You can use getfacl to see the ACL:

[root@localhost ~]# ls -l /permissions/
total 4
-rw-rw-r--+ 1 root root 0 Apr 12 12:28 file1
[root@localhost ~]# getfacl /permissions/file1
getfacl: Removing leading '/' from absolute path names
# file: permissions/file1
# owner: root
# group: root
user::rw-
group::r--
group:sjoerdhooft:rw-
mask::rw-
other::r--
Note that user:: group:: and other:: refer to the original user,group and other permissions of the file.

Set ACL

You can set an ACL using setfacl,

This is how I've added the private group of user sjoerdhooft to file1 as displayed above:

setfacl -m g:sjoerdhooft:rw /permissions/file1

This is an example to add an ACL for a user:

setfacl -m -u:sjoerdhooft:rw /permissions/file1

This is an example to remove the ACL permissions:

setfacl -x -u:sjoerdhooft /permissions/file1

This is an example to change(remove) the normal other permissions:

setfacl -m -o::- /permissions/file1

Set Default ACLs

You can also set a default ACL so all newly created files in a directory receive the permission you set (add d: for default to the command):

setfacl -m d:u:sjoerdhooft:rw /permissions

And if you also want all existing files in the directory to receive the permissions, including files in subdirectories set the recursive option as well:

setfacl -m d:g:sjoerdhooft:rw -R /permissions

Resources

If you want more information see:

[root@localhost ~]# man -k acl
acl                  (5)  - Access Control Lists
chacl                (1)  - change the access control list of a file or directory
getfacl              (1)  - get file access control lists
.k5login [k5login]   (5)  - Kerberos V5 acl file for host access
setfacl              (1)  - set file access control lists
redhatacl.txt · Last modified: 2021/09/24 00:25 by 127.0.0.1