ACL: Setting Access Control List for non privileged users

There are two type of ACLs

Access ACL

The user and group access permissions for all kinds of file system objects (files and directories) are determined by means of access ACLs

Default ACL

Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory
when it is created.

Structure of ACL entries
ACL can be divided into two classes according to the minimal ACL and extended ACL.A minimal ACL simply comprises the entries for types owner,owning group and other similar to conventional permissions for files and directories.An extended ACL should contain a mask entry and may contain several entries for the named user and named group.

setfacl and getfacl are the utilities used in Linux to manage ACL.
Basic setfacl command structure is,

setfacl -m

eg: setfacl -m u:testuser:rw /testfile
-m option is used to add/modify ACL entries.
-x is used to remove permissions for user
eg: setfacl -x u:testuser /testfile
This will remove all permissions for testuser in /testfile.

Scenario: Need to assign read,write and execute permissions to user john and to additional group marketing for directory /SALE
setfacl -m user:john:rwx,group:marketing:rwx /SALE

Setting Default ACL
For setting default ACL we are using -d before rule.

setfacl -m -d user:john:rw /SALE

Other options

-b, –remove-all
Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained.

-k, –remove-default

Remove the Default ACL.

If no Default ACL exists, no warnings are issued.

-n, –no-mask
Do not recalculate the effective rights mask. The default behavior of setfacl is to recalculate the ACL mask entry, unless a mask entry was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group entries. (These are exactly the entries affected by the mask entry).
Do recalculate the effective rights mask, even if an ACL mask entry was explicitly given. (See the -n option.)
-d, –default
All operations apply to the Default ACL. Regular ACL entries in the input set are promoted to Default ACL entries. Default ACL entries in the nput set are discarded. (A warning is issued if that happens).
Restore a permission backup created by ‘getfacl -R’ or similar. All permissions of a complete directory subtree are restored using this mechanism. If the input contains owner comments or group comments, and setfacl is run by root, the owner and owning group of all files are restored as well. This option cannot be mixed with other options except ‘–test’.

Test mode.

Instead of changing the ACLs of any files, the resulting ACLs are listed.
-R, –recursive
Apply operations to all files and directories recursively. This option cannot be mixed with ‘–restore’.
-L, –logical
Logical walk, follow symbolic links. The default behavior is to follow symbolic link arguments, and to skip symbolic links encountered in sub directories. This option cannot be mixed with ‘–restore’.
-P, –physical
Physical walk, skip all symbolic links. This also skips symbolic link arguments. This option cannot be mixed with ‘–restore’.


Zona de mobile
  • | 34 articole

Nici un comentariu inca. Fii primul!
  • powered by Verysign