CentOS Stream 8
Sponsored Link

ACL : Access Control List
2021/03/08
 
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL.
[1] ACL package is included in minimum OS installation, but if not in your System, Install like follows.
[root@dlp ~]#
dnf -y install acl
[2]
It's not necessary to set pre-settings to use ACL feature if you are using [xfs] that is the default filesystem on CentOS Stream 8. But if you are using [ext4] that is the default filesystem on RHEL 6/CentOS 6 or earlier, it's necessary to set pre-settings to use ACL feature, refer to the section [2], [3] on here.
[3] Set ACL.
For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL.
[root@dlp ~]#
ll /home/test.txt

-rw-------. 1 root root 10 Mar  7 09:34 /home/test.txt

# set r(read) for [cent] user to /home/test.txt

[root@dlp ~]#
setfacl -m u:cent:r /home/test.txt
# after setting ACL, [+] is added on attribute

[root@dlp ~]#
ll /home/test.txt

-rwxr-----+ 1 root root 10 Mar  7 09:34 /home/test.txt

# confirm settings

[root@dlp ~]#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::r--
mask::r--
other::---

# verify accesses with [cent] user

[cent@dlp ~]$
cat /home/test.txt

ACL test file  
# just read normally
# verify accesses with another user

[redhat@dlp ~]$
cat /home/test.txt

cat: /home/test.txt: Permission denied  
# just denied normally
[4] Set ACL to a directory recursively.
# set r(read) for [cent] to [/home/testdir] recursively

[root@dlp ~]#
setfacl -R -m u:cent:r /home/testdir
[root@dlp ~]#
ll /home/testdir

total 4
-rwxr-----+ 1 root root 9 Mar  7 09:39 testfile.txt

[root@dlp ~]#
getfacl -R /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---
[5] Set ACL by group.
# set rw(read/write) for [security] group to [/home/testfile.txt]

[root@dlp ~]#
setfacl -m g:security:rw /home/testfile.txt

[root@dlp ~]#
getfacl /home/testfile.txt

getfacl: Removing leading '/' from absolute path names
# file: home/testfile.txt
# owner: root
# group: root
user::rwx
group::---
group:security:rw-
mask::rw-
other::---

# verify accesses with [cent] user who is in [security] group

[cent@dlp ~]$
echo "test write" >> /home/testfile.txt

[cent@dlp ~]$
cat /home/testfile.txt

ACL test file
test write  
# just written normally
# verify accesses with another user who is not in [security] group

[redhat@dlp ~]$
echo "test write" >> /home/testfile.txt

-bash: /home/test.txt: Permission denied  
# just denied normally
[6] Remove ACL.
# remove ACL from [/home/test.txt]

[root@dlp ~]#
setfacl -b /home/test.txt
# remove ACL only for [cent] user on [/home/testfile.txt]

[root@dlp ~]#
setfacl -x u:cent /home/testfile.txt
[7] Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid.
[root@dlp ~]#
setfacl -m u:cent:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [cent] to [/home/testdir] directory

[root@dlp ~]#
setfacl -d -m u:cent:r-x /home/testdir

[root@dlp ~]#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:cent:r-x
default:group::---
default:mask::r-x
default:other::---

[root@dlp ~]#
echo "ACL default setting" > /home/testdir/test.txt

[root@dlp ~]#
ll /home/testdir/test.txt

-rw-r-----+ 1 root root 20 Mar  7 09:48 /home/testdir/test.txt

# verify accesses with [cent] user

[cent@dlp ~]$
cat /home/testdir/test.txt

ACL default setting  
# just read normally
[8] Remove default ACL.
[root@dlp ~]#
setfacl -k /home/testdir

[root@dlp ~]#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
[9] Set ACL from a configration file.
# create a configuration file for ACL

# if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command

[root@dlp ~]#
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

[root@dlp ~]#
setfacl --restore=acl.txt

[root@dlp ~]#
ll /home

total 8
drwx------. 2 cent   cent   83 Mar  7 09:38 cent
drwx------. 2 redhat redhat 83 Mar  7 09:38 redhat
drwxr-x---+ 2 root   root   42 Mar  7 09:48 testdir
-rwxrw----+ 1 root   root   24 Mar  7 09:45 testfile.txt
-rwxr-----+ 1 root   root   10 Mar  7 09:34 test.txt
Matched Content