About Access Control Lists
POSIX Access Control Lists (ACLs) provide a richer access control model than traditional
UNIX Discretionary Access Control (DAC) that sets read, write, and execute permissions for the
owner, group, and all other system users. You can configure ACLs that define access rights for
more than a single user or group, and specify rights for programs, processes, files, and
directories. If you set a default ACL on a directory, its descendents inherit the same rights
automatically. You can use ACLs with the btrfs,
OCFS2,
ext3, ext4, and XFS file systems, including
mounted NFS file systems.
An ACL consists of a set of rules that specify how a specific user or group can access the file or directory with which the ACL is associated. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only, and specifies default access information for any file within the directory that doesn't have an access ACL.
Enabling ACL Support
-
Ensure that the
aclpackage is installed. If not, use the following command:sudo dnf install acl
-
Edit the
/etc/fstabfile and change the entries for any file systems that you want to use ACLs so that they include the appropriate option that supports ACLs, for example:LABEL=/work /work ext4 acl 0 0
For mounted Samba shares, use the
cifsacloption instead ofacl. -
Remount the file systems:
sudo mount -o remount /work
Setting and Displaying ACLs
To add or modify the ACL rules for file, use the setfacl command with the following syntax:
sudo setfacl -m rules file ...
ACL rules accept the following forms:
- [d:]u: user[: permissions]
-
Sets the access ACL for the user specified by name or user ID. The permissions apply to the owner if no user is specified.
- [d:]g: group[: permissions]
-
Sets the access ACL for a group specified by name or group ID. The permissions apply to the owning group if no group is specified.
- [d:]m[:][: permissions]
-
Sets the effective rights mask, which is the union of all permissions of the owning group and all user and group entries.
- [d:]o[:][: permissions]
-
Sets the access ACL for other (everyone else to whom no other rule applies).
The permissions are as follows and are used with the chmod command.
-
r: read -
w: write -
x: execute
The d: prefix is used to apply the rule to the default ACL for a directory.
To display a file's ACL, use the getfacl command, for example:
sudo getfacl foofile
The output of this command would be as follows:
# file: foofile # owner: bob # group: bob user::rw- user::fiona:r-- user::jack:rw- user::jill:rw- group::r-- mask::r-- other::r--
If extended ACLs are active on a file, the ls
-l command displays a plus sign (+)
after the permissions:
-rw-r--r--+ 1 bob bob 105322 Apr 11 11:02 foofile
The following examples show how to set and display ACLs for directories and files:
-
To grant read access to a file or directory by a user:
sudo setfacl -m u:user:r file
-
To display the name, owner, group, and ACL for a file or directory:
sudo getfacl file -
To remove write access to a file for all groups and users by changing the effective rights mask rather than the ACL:
sudo setfacl -m m::rx fileNote that the -x option removes rules for a user or group.
-
To remove the rules for a user from the ACL of a file:
sudo setfacl -x u:user file
-
To remove the rules for a group from the ACL of a file:
sudo setfacl -x g:group file
-
To remove all the extended ACL entries from a file or directory, specify the -b option:
sudo setfacl -b file -
To copy the ACL of file f1 to file f2:
sudo getfacl f1 | setfacl --set-file=- f2
-
To set a default ACL of read and execute access for other on a directory:
sudo setfacl -m d:o:rx directory -
To promote the ACL settings of a directory to default ACL settings that can be inherited:
sudo getfacl --access directory | setfacl -d -M- directory
-
to remove the default ACL from a directory, specify the -k option:
sudo setfacl -k directory
For more information, see the acl(5),
setfacl(1), and getfacl(1)
manual pages.