Access Control Lists provide an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions and allows you to give permissions for any user or group to any disc resource.
What is this good for? Instead of having to create special groups or shoehorn permissions into the User, Group, World category, you can specify permissions for any user for any file. Say Apache uses user nobody. Without ACL you have to give world read permissions to all your web pages which might not be what you really want to do. With ACL you can grant read access to nobody, and remove all world permissions.
If Apache needs to be able to write to a work file, you can give user nobody write access to that file only. This is a really nice fine-grained approach to file permissions.
Regular users can use ACL. No need to pester the administrator to create special groups.
Confusion surrounds the use of the word file. Sometimes it means a regular file and sometimes it means a regular file and/or a directory. Remember, everything in Linux is a file, even directories but with ACL, the syntax can be mis-understood.
Enabling and using ACLs on a filesystem can reduce performance. It does not make sense to use ACLs for the root partition ( / ), /boot, /usr, /var, etc
Start by installing the acl package
$ sudo apt-get install acl
To enable ACL, edit /etc/fstab file and add acl attribute in options on the partition which you want to use ACL:
UUID=b463f4a4-ef7b-44f9-9f48-bf5d93ba06a5 /www ext4 defaults,acl 0 0
That's it. To modify ACL use the setfacl command. To add permissions use setfacl -m or setfacl --modify. To check permissions use getfacl filename.
View the acl for a file
getfacl file.txt
Give a user read and write permissions to a file
setfacl -m u:somebody:rw- file.txt
Give a group read permissions only
setfacl -m g:somegroup:r-- file.txt setfacl -m g:somegroup:r--x ~/project.d
Remove Specific Entries from an ACL
setfacl -x u:somebody,u:somebodyelse file.txt
To completely remove an ACL from a file or directory
setfacl -b file.txt setfacl -b ~/project.d
To set a mask
setfacl -m mask::r-- file.txt
A mask is the effective rights mask. It limits the effective rights granted to all ACL groups and ACL users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence. It works like umask but is specified like a chmod, not like the way you set umask
NOTE: Whenever you change the permissions of a user or a group with setfacl, the mask is changed to match. Therefore, if you want a restrictive mask, it must be applied after the user and group permissions are modified.
Apply ACLs to an entire directory and all of its subdirectories
setfacl -R -m g:somegroup:r-x /home/me/Level1
setfacl can be used instead of chmod
setfacl -m u::rwx,g::rwx,o:rwx file.txt
NOTE: The chmod command does not alter the file's ACL...the ACL information will remain intact, except that the mask entry can change as described above.
|
This site best viewed with a browser |
| Warning: This is a Debian centric site and MAY contain peanuts. | |
| Many thanks to Debra Lynn and Ian Murdock for making Debian possible | |
| First created Feb 24, 2011 ~ Last revised March 29, 2011 |
