You can manage permission / access of files and folders with 'chmod' command but what if you want to remove write permission for one user and provide all permissions for another user of the same group members !! ACLs are the solution for that concern. ACL is use to control permissions of any file and folder exceptionally. ACLs can be implemented on files as well as directories. ACLs are usefull where you want to grant the different access to different users.ACL can only be implemented if the kernel and file system support it. You have to check whether your system support/enable for ACLs if kernel supports ACL then you might have to install ACL packages in your system.
There are mainly two types of ACL used in linux:
1: Access ACL- An access ACL is the access control list for a specific file or directory.
2: Default ACL- The default ACL is only associated with direcoties.
ACL can be configured for:
(i) Per user
(ii) Per group
(iii) Rights mask
(iv) For a user who is not a member of a group for that file
There are two commands which are use to manage and set permissions using ACL
1: setfacl
2: getfacl
Now we use these commands to see how to set permissions using ACL.Below is the syntax of setfacl command to add/modify the ACL for given file or directory.
#setfacl -m 'rules' 'file/directory'
Where 'm' means modify and 'rules' means the permissions which you want to impelement on files/folder.
Rules can be specified in below formats
u:uid:permissions
Above format can be implemented for user with given permissions. optionally you can specify the UID.
g:gid:permissions
Above format can be implemented for group with given permissions. optionally you can specify the GID.
m:permissions
Above format can be implemented for mask with given permissions. The mask is the union of all permissions of the owning group and all of the users and groups entries.
o:permissions
Above format can be implemented for other users than ones in the group for a file with given permissions.
Note : Permissions must be in the combination of r(read), w(write), x(execute) format.
Below are some examples of 'setfacl' commands
1: In order to check if ACL are supported by your system , run below command.
grep -i ACL /boot/config-3***.x86_64
pic:1
2: In order to check ACL package is installed or not , run below command.
rpmquery -qa | grep acl
pic:2
3: Set ACL on file/folder to give read and write permission to an user 'akay'
setfacl -m u:akay:rw /folder1/file1
pic: 3
4: Set ACL on a file/folder to give all permissions to a group named 'myproject'
setfacl -m g:myproject:rwx /folder1/file1
pic: 4
5: Set ACL on a file/folder to remove all permissions for a user named 'akay'
setfacl -x u:akay /folder1/file1
pic: 5
6: To completely remove the ACL permissions from any directory/file .This will remove all users and groups permissions for that directory/file
setfacl -b /folder1/file1
pic: 6
7: To set default ACL, for a directory to give read and write permissions to users who are not in the users group
setfacl -m d:o:rw /folder1/
pic: 7
8: To set ACL, recursively for all directories/files for any user
#setfacl -Rm u:user_name:permissions /directory_path
pic: 8
9: Set ACL on directory/file to remove all permissions for user 'akay' even he is a member of allowd group.
#setfacl -Rm u:user_name:--- /directory_path
pic: 9
`10: If an ACL has been set in any file in any given filesystem then that file system should have an 'ext_attr' attribute. This attribute can be seen with below command.
#tune2fs -l /file-system/
pic: 10
Below are some examples of 'getfacl' commands
1: To determine the existing ACLs for a file/directory. If default ACL is also specified, the command will also display that.
getfacl /folder1/file1
Pic: 1
2: Display the default access control list.
getfacl -d /folder1/
Pic: 2
3: Display the file access control list.
getfacl -a /folder1/file1
Pic: 3
Preserving 'ACL' attributes during copying/moving or backup a file or directory.
1: Preserve ACL while copying file/directory to another location.
cp --preserve=mode /Source/ /Destination/
or
cp -a /Source/ /Destination/
Pic: 1
2: Preserve ACL while archiving the file/directory.
tar --acl -cvf archive.tar /directory/file/
Pic: 2
0 Comments