openSUSE Leap 16
Sponsored Link

ACL : Access Control List2025/12/09
 

Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL.

[1] ACL package is included in minimum OS installation, but if not in your System, Install like follows.
dlp:~ #
zypper -n install acl
[2]

If you are using btrfs that is the default file system on SUSE, no prior configuration is required to use ACLs.
Although it's not listed as a default option for the mount command, ACLs are enabled by default on btrfs.
Conversely, if you want to disable ACLs, you must explicitly add the mount option [-o noacl].

[3] Set ACL.
For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL.
dlp:~ #
ll /home/test.txt 

-rw-------. 1 root root 25 Dec  9 10:04 /home/test.txt
# set r(read) for [suse] user to /home/test.txt

dlp:~ #
setfacl -m u:suse:r /home/test.txt
# after setting ACL, [+] is added on attribute

dlp:~ #
ll /home/test.txt 

-rw-r-----+ 1 root root 25 Dec  9 10:04 /home/test.txt
# confirm settings

dlp:~ #
getfacl /home/test.txt 

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rw-
user:suse:r--
group::---
mask::r--
other::---
# verify accesses with [suse] user

suse@dlp:~>
cat /home/test.txt

ACL test file  
# done normally
# verify accesses with another user

leap@dlp:~>
cat /home/test.txt

cat: /home/test.txt: Permission denied  
# denied normally
[4] Set ACL to a directory recursively.
dlp:~ #
ll -d /home/testdir 

drwx------. 1 root root 0 Dec  9 10:07 /home/testdir
# set r(read) for [suse] to [/home/testdir] recursively

dlp:~ #
setfacl -R -m u:suse:r /home/testdir
dlp:~ #
ll /home/testdir 

total 4
-rw-r-----+ 1 root root 10 Dec  9 10:09 testfile.txt
dlp:~ #
getfacl -R /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:suse:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile.txt
# owner: root
# group: root
user::rw-
user:suse:r--
group::---
mask::r--
other::---
[5] Set ACL by group.
# set rw(read/write) for [security] group to [/home/testfile.txt]

dlp:~ #
groupadd security

dlp:~ #
setfacl -m g:security:rw /home/testfile.txt

dlp:~ #
getfacl /home/testfile.txt 

getfacl: Removing leading '/' from absolute path names
# file: home/testfile.txt
# owner: root
# group: root
user::rw-
group::---
group:security:rw-
mask::rw-
other::---
# verify accesses with [leap] user who is in [security] group

leap@dlp:~>
echo "test write" >> /home/testfile.txt

leap@dlp:~>
cat /home/testfile.txt

ACL test file
test write  
# wrote normally
# verify accesses with another user who is not in [security] group

suse@dlp:~>
echo "test write" >> /home/testfile.txt

-bash: /home/test.txt: Permission denied  
# denied normallyい
[6] Remove ACL.
# remove ACL from [/home/test.txt]

dlp:~ #
setfacl -b /home/test.txt
# remove ACL only for [suse] user on [/home/testfile.txt]

dlp:~ #
setfacl -x u:suse /home/testfile.txt
[7] Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL, default access attribute is inherited.
But be careful, if you change posix attribute with [chmod], then ACL would be invalid.
dlp:~ #
setfacl -m u:suse:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [suse] to [/home/testdir] directory

dlp:~ #
setfacl -d -m u:suse:r-x /home/testdir

dlp:~ #
getfacl /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:suse:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:suse:r-x
default:group::---
default:mask::r-x
default:other::---
dlp:~ #
echo "ACL default setting" > /home/testdir/test.txt

dlp:~ #
ll /home/testdir/test.txt 

-rw-r-----+ 1 root root 20 Dec  9 10:15 /home/testdir/test.txt
# verify accesses with [suse] user

suse@dlp:~>
cat /home/testdir/test.txt

ACL default setting  
# read normally
[8] Remove default ACL.
dlp:~ #
setfacl -k /home/testdir

dlp:~ #
getfacl /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:suse:r-x
group::---
mask::r-x
other::---
[9] Set ACL from a configration file.
# create a configuration file for ACL
# if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command

dlp:~ #
vi acl.txt 
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:suse:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:suse:r--
group::---
mask::r--
other::---
dlp:~ #
setfacl --restore=acl.txt

dlp:~ #
ll /home 

total 8
drwx------. 1 leap leap 122 Dec  9 10:06 leap
drwx------. 1 suse suse 122 Dec  9 09:53 suse
-rwxr-----+ 1 root root  25 Dec  9 10:04 test.txt
drwxr-x---+ 1 root root  40 Dec  9 10:15 testdir
-rw-rw----+ 1 root root  21 Dec  9 10:13 testfile.txt
Matched Content