====== Access Control Lists ====== This is a document telling how to use acl's under linux. ===== What can ACLs be used for? ===== ACLs are used for more finegrained permissions than standard unix permissions, which limits you to read, write and execute for user, group and others. with acl you can specify a unlimited number of permissions, giving some users readonly access, some groups read/write access or whatever you desire, which is pretty cool, another feature which posix acls bring is the ability to set default acl's, which will then be applied to all new files or directories created within the directory having the default acl scheme ===== Getting ACL Enabled ===== First, to be able to use acl, there are a few system requirements that must be satisfied: * You must use a filsystem which supports posix acl * Your filsystem must be mounted with the acl options * Coreutils must be compiled with acl support * You need to have the acl package installed ===== Managing ACLs ===== To use acl's we need the two commands from the acl package, 'getfacl' and especially 'setfacl'. getfacl lets you see the ACLs present on a directory/file, and setfacl enables you to add acl entries ==== Editing ACLs ==== The setfacl command can be run with a large variety of options, here is a list of the ones worth mentioning, which this howto will explain ^ Option ^ Description ^ Example ^ Result ^ | -b | Removes all acl entries | setfacl -b | All acl entries removed from | | -k | Removes the default acl entries | setfacl -k | All default acl entries removed from | | -n | Dont recalculate the effective rights mask | setfacl -n -m -u:root:rw- | gets a acl with root able to read/write, mask aint calculated | | -d | Does the actions to the default acl | setfacl -d -m -u:root:rwX | gets a default acl entry saying new files get user:root, rw, dirs get user:root, rwx | | -R | Do stuff recursively | setfacl -R -m -g:users:r-x | All subdirs of gets a entry saying group users gets read/execute | | -x | Remove entry | setfacl -x -m -g:admin | The group entry admin gets removed from | ==== Listing ACLs ==== The getfacl command can be run without any parameters, but i find it nice to run with --omit-headers. ==== Backup/Restore ==== It is possible to use getfacl to backup the acl's for a file/dir, or recursively through a dir, and then use setfacl to restore it. * Backup acl for a file: getfacl > backup.acl * Backup acl recursively for a dir: getfacl -R > backup.acl * Restore acl backup via the restore feature: setfacl --restore=backup.acl ==== Example ==== This is an example of applying normal acls, default acls, and using getfacl to observe acls, plus backing up and restoring redeeman@redeeman /mnt/ACLTest $ mkdir testdir redeeman@redeeman /mnt/ACLTest $ setfacl -m u:guest:rw,g:vfat:r-x testdir redeeman@redeeman /mnt/ACLTest $ setfacl -d -m g:vfat:rw- testdir redeeman@redeeman /mnt/ACLTest $ echo "test" > testdir/testfile redeeman@redeeman /mnt/ACLTest $ getfacl -R testdir > backup.acl redeeman@redeeman /mnt/ACLTest $ rm -fr testdir ; mkdir testdir ; echo "test" > testdir/testfile redeeman@redeeman /mnt/ACLTest $ setfacl --restore=backup.acl redeeman@redeeman /mnt/ACLTest $ getfacl --omit-header testdir user::rwx user:guest:rw- group::r-x group:vfat:r-x mask::rwx other::r-x default:user::rwx default:group::r-x default:group:vfat:rw- default:mask::rwx default:other::r-x redeeman@redeeman /mnt/ACLTest $ getfacl --omit-header testdir/testfile user::rw- group::r-x #effective:r-- group:vfat:rw- mask::rw- other::r-- ===== A few notes ===== * When creating a dir/file inside a dir with a default acl scheme, the file/dir's standard unix permissions are not affected, the default acl's will simply be applied * When copying something to a dir which has a default acl scheme, if existing, all previous acl entries will be erased, and the default acl will be applied * The mask entry in the acl controls what permissions acl are allowed to set, as standard it is generated from the range the group entries contains * When Adding entries, one needs to specify permissions(rwx), when removing, one must not specify permissions * One can manipulate more than one acl entry with one setfacl command, they are seperated with ',' ===== Other Ressources ===== [[http://www.suse.de/~agruen/acl/linux-acls/online/|Andreas Grünbacher's paper on Access Control Lists]]