ACL Access Control List2019/10/04 |
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL. |
|
[1] | ACL package is included in minimum OS installation, but if not in your System, Install like follows. |
[root@dlp ~]# dnf -y install acl
|
[2] |
It's not necessary to set pre-settings to use ACL feature if you are using [xfs] that is the default filesystem on CentOS 8.
But if you are using [ext4] that is the default filesystem on CentOS 6 or earlier, it's necessary to set pre-settings to use ACL feature,
refer to the section [2], [3] on here.
|
[3] | Set ACL. For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL. |
[root@dlp ~]# ll /home/test.txt -rwx------. 1 root root 10 Oct 3 20:06 /home/test.txt # after setting ACL, [+] is added on attribute [root@dlp ~]# ll /home/test.txt -rwxr-----+ 1 root root 10 Oct 3 20:06 /home/test.txt # confirm settings [root@dlp ~]# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- # verify accesses with [cent] user [cent@dlp ~]$ cat /home/test.txt ACL test file # just read normally
# verify accesses with another user [redhat@dlp ~]$ cat /home/test.txt cat: /home/test.txt: Permission denied # just denied normally
|
[4] | Set ACL to a directory recursively. |
# set r(read) for [cent] to [/home/testdir] recursively [root@dlp ~]# setfacl -R -m u:cent:r /home/testdir
ll /home/testdir total 0 -rwxr-----+ 1 root root 0 Oct 3 21:31 testfile[root@dlp ~]# getfacl -R /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- # file: home/testdir/testfile # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- |
[5] | Set ACL by group. |
# set rw(read/write) for [security] group to [/home/test.txt] [root@dlp ~]# setfacl -m g:security:rw /home/test.txt [root@dlp ~]# getfacl /home/test.txt getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx group::--- group:security:rw- mask::rw- other::--- # verify accesses with [cent] user who is in [security] group [cent@dlp ~]$ echo "test write" >> /home/test.txt [cent@dlp ~]$ cat /home/test.txt ACL test file test write # just written normally
# verify accesses with another user who is not in [security] group [redhat@dlp ~]$ echo "test write" >> /home/test.txt -bash: /home/test.txt: Permission denied # just denied normally
|
[6] | Remove ACL. |
# remove ACL only for [cent] user on [/home/test.txt] [root@dlp ~]# setfacl -x u:cent /home/test.txt
|
[7] | Set default ACL to a directory. If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid. |
[root@dlp ~]#
setfacl -m u:cent:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [cent] to [/home/testdir] directory [root@dlp ~]# setfacl -d -m u:cent:r-x /home/testdir [root@dlp ~]# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:cent:r-x group::--- mask::r-x other::--- default:user::rwx default:user:cent:r-x default:group::--- default:mask::r-x default:other::---[root@dlp ~]# echo "ACL default setting" > /home/testdir/test.txt [root@dlp ~]# ll /home/testdir/test.txt -rw-r-----+ 1 root root 20 Oct 4 19:21 /home/testdir/test.txt # verify accesses with [cent] user [cent@dlp ~]$ cat /home/testdir/test.txt ACL default setting # just read normally
|
[8] | Remove default ACL. |
[root@dlp ~]# setfacl -k /home/testdir [root@dlp ~]# getfacl /home/testdir getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:cent:r-x group::--- mask::r-x other::--- |
[9] | Set ACL from a configration file. |
# create a configuration file for ACL # if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command
[root@dlp ~]#
vi acl.txt # file: /home/testdir # owner: root # group: root user::rwx user:cent:r-x group::--- mask::r-x other::--- # file: /home/test.txt # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- setfacl --restore=acl.txt [root@dlp ~]# ll /home total 4 drwx------. 2 cent cent 83 Oct 3 21:20 cent drwxr-xr-x. 3 root root 57 Oct 3 19:58 nfsshare drwx------. 2 redhat redhat 83 Oct 3 21:21 redhat drwxr-x---+ 2 root root 38 Oct 3 22:21 testdir -rwxr-----+ 1 root root 21 Oct 3 22:17 test.txt |
Sponsored Link |
|