ACL : Access Control List2023/02/22 |
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL. |
|
[1] | ACL package is included in minimum OS installation, but if not in your System, Install like follows. |
[root@dlp ~]# dnf -y install acl
|
[2] |
It does not need to set pre-settings to use ACL feature if you are using [xfs] that is the default filesystem on AlmaLinux 9.
However, if you are using [ext4] that is the default filesystem like Ubuntu, it needs to set pre-settings to use ACL feature, refer to the section [2], [3] on here. |
[3] | Set ACL. For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL. |
[root@dlp ~]# ll /home/test.txt -rw-------. 1 root root 10 Jan 13 10:50 /home/test.txt # after setting ACL, [+] is added on attribute [root@dlp ~]# ll /home/test.txt -rw-r-----+ 1 root root 10 Jan 13 10:50 /home/test.txt # confirm settings [root@dlp ~]# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rw- user:alma:r-- group::--- mask::r-- other::--- # verify accesses with another user [redhat@dlp ~]$ cat /home/test.txt cat: /home/test.txt: Permission denied # denied normally
|
[4] | Set ACL to a directory recursively. |
[root@dlp ~]# ll -d /home/testdir drwx------. 2 root root 6 Jan 13 10:53 /home/testdir # set r(read) for [alma] to [/home/testdir] recursively [root@dlp ~]# setfacl -R -m u:alma:r /home/testdir
ll /home/testdir total 4 -rw-r-----+ 1 root root 14 Jan 13 10:54 testfile.txt[root@dlp ~]# getfacl -R /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:alma:r-- group::--- mask::r-- other::--- # file: home/testdir/testfile.txt # owner: root # group: root user::rw- user:alma:r-- group::r-- mask::r-- other::--- |
[5] | Set ACL by group. |
# set rw(read/write) for [security] group to [/home/testfile.txt] [root@dlp ~]# setfacl -m g:security:rw /home/testfile.txt [root@dlp ~]# getfacl /home/testfile.txt getfacl: Removing leading '/' from absolute path names # file: home/testfile.txt # owner: root # group: root user::rw- group::r-- group:security:rw- mask::rw- other::--- # verify accesses with [alma] user who is in [security] group [alma@dlp ~]$ echo "test write" >> /home/testfile.txt [alma@dlp ~]$ cat /home/testfile.txt ACL test file test write # wrote normally
# verify accesses with another user who is not in [security] group [redhat@dlp ~]$ echo "test write" >> /home/testfile.txt -bash: /home/test.txt: Permission denied # 正常に書き込めない
|
[6] | Remove ACL. |
# remove ACL only for [alma] user on [/home/testfile.txt] [root@dlp ~]# setfacl -x u:alma /home/testfile.txt
|
[7] | Set default ACL to a directory. If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid. |
[root@dlp ~]#
setfacl -m u:alma:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [alma] to [/home/testdir] directory [root@dlp ~]# setfacl -d -m u:alma:r-x /home/testdir [root@dlp ~]# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:alma:r-x group::--- mask::r-x other::--- default:user::rwx default:user:alma:r-x default:group::--- default:mask::r-x default:other::---[root@dlp ~]# echo "ACL default setting" > /home/testdir/test.txt [root@dlp ~]# ll /home/testdir/test.txt -rw-r-----+ 1 root root 20 Jan 13 11:01 /home/testdir/test.txt # verify accesses with [alma] user [alma@dlp ~]$ cat /home/testdir/test.txt ACL default setting # read normally
|
[8] | Remove default ACL. |
[root@dlp ~]# setfacl -k /home/testdir [root@dlp ~]# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:alma:r-x group::--- mask::r-x other::--- |
[9] | Set ACL from a configration file. |
# create a configuration file for ACL # if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command
[root@dlp ~]#
vi acl.txt # file: /home/testdir # owner: root # group: root user::rwx user:alma:r-x group::--- mask::r-x other::--- # file: /home/test.txt # owner: root # group: root user::rwx user:alma:r-- group::--- mask::r-- other::--- setfacl --restore=acl.txt [root@dlp ~]# ll /home total 8 drwx------. 2 alma alma 83 Jan 13 10:52 alma drwxr-xr-x. 3 root root 57 Jan 13 09:52 nfsshare drwx------. 2 redhat redhat 83 Jan 13 10:52 redhat drwxr-x---+ 2 root root 42 Jan 13 11:01 testdir -rw-rw----+ 1 root root 21 Jan 13 10:59 testfile.txt -rwxr-----+ 1 root root 10 Jan 13 10:50 test.txt |
|