CentOS Stream 9
Sponsored Link

ACL : Access Control List2022/01/13

 
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL.
[1] ACL package is included in minimum OS installation, but if not in your System, Install like follows.
[root@dlp ~]#
dnf -y install acl
[2]
It does not need to set pre-settings to use ACL feature if you are using [xfs] that is the default filesystem on CentOS Stream 9.
However, if you are using [ext4] that is the default filesystem on RHEL 6/CentOS 6 or earlier, it needs to set pre-settings to use ACL feature, refer to the section [2], [3] on here.
[3] Set ACL.
For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL.
[root@dlp ~]#
ll /home/test.txt

-rw-------. 1 root root 10 Jan 13 10:50 /home/test.txt

# set r(read) for [cent] user to /home/test.txt

[root@dlp ~]#
setfacl -m u:cent:r /home/test.txt
# after setting ACL, [+] is added on attribute

[root@dlp ~]#
ll /home/test.txt

-rw-r-----+ 1 root root 10 Jan 13 10:50 /home/test.txt

# confirm settings

[root@dlp ~]#
getfacl /home/test.txt

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rw-
user:cent:r--
group::---
mask::r--
other::---

# verify accesses with [cent] user

[cent@dlp ~]$
cat /home/test.txt

ACL test file  
# 正常に表示できた
# verify accesses with another user

[redhat@dlp ~]$
cat /home/test.txt

cat: /home/test.txt: Permission denied  
# denied normally
[4] Set ACL to a directory recursively.
[root@dlp ~]#
ll -d /home/testdir

drwx------. 2 root root 6 Jan 13 10:53 /home/testdir

# set r(read) for [cent] to [/home/testdir] recursively

[root@dlp ~]#
setfacl -R -m u:cent:r /home/testdir
[root@dlp ~]#
ll /home/testdir

total 4
-rw-r-----+ 1 root root 14 Jan 13 10:54 testfile.txt

[root@dlp ~]#
getfacl -R /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile.txt
# owner: root
# group: root
user::rw-
user:cent:r--
group::r--
mask::r--
other::---
[5] Set ACL by group.
# set rw(read/write) for [security] group to [/home/testfile.txt]

[root@dlp ~]#
setfacl -m g:security:rw /home/testfile.txt

[root@dlp ~]#
getfacl /home/testfile.txt

getfacl: Removing leading '/' from absolute path names
# file: home/testfile.txt
# owner: root
# group: root
user::rw-
group::r--
group:security:rw-
mask::rw-
other::---

# verify accesses with [cent] user who is in [security] group

[cent@dlp ~]$
echo "test write" >> /home/testfile.txt

[cent@dlp ~]$
cat /home/testfile.txt

ACL test file
test write  
# wrote normally
# verify accesses with another user who is not in [security] group

[redhat@dlp ~]$
echo "test write" >> /home/testfile.txt

-bash: /home/test.txt: Permission denied  
# 正常に書き込めない
[6] Remove ACL.
# remove ACL from [/home/test.txt]

[root@dlp ~]#
setfacl -b /home/test.txt
# remove ACL only for [cent] user on [/home/testfile.txt]

[root@dlp ~]#
setfacl -x u:cent /home/testfile.txt
[7] Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid.
[root@dlp ~]#
setfacl -m u:cent:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [cent] to [/home/testdir] directory

[root@dlp ~]#
setfacl -d -m u:cent:r-x /home/testdir

[root@dlp ~]#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:cent:r-x
default:group::---
default:mask::r-x
default:other::---

[root@dlp ~]#
echo "ACL default setting" > /home/testdir/test.txt

[root@dlp ~]#
ll /home/testdir/test.txt

-rw-r-----+ 1 root root 20 Jan 13 11:01 /home/testdir/test.txt

# verify accesses with [cent] user

[cent@dlp ~]$
cat /home/testdir/test.txt

ACL default setting  
# read normally
[8] Remove default ACL.
[root@dlp ~]#
setfacl -k /home/testdir

[root@dlp ~]#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
[9] Set ACL from a configuration file.
# create a configuration file for ACL
# if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command

[root@dlp ~]#
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

[root@dlp ~]#
setfacl --restore=acl.txt

[root@dlp ~]#
ll /home

total 8
drwx------. 2 cent   cent   83 Jan 13 10:52 cent
drwxr-xr-x. 3 root   root   57 Jan 13 09:52 nfsshare
drwx------. 2 redhat redhat 83 Jan 13 10:52 redhat
drwxr-x---+ 2 root   root   42 Jan 13 11:01 testdir
-rw-rw----+ 1 root   root   21 Jan 13 10:59 testfile.txt
-rwxr-----+ 1 root   root   10 Jan 13 10:50 test.txt
Matched Content