Tuesday, September 04, 2007

Set File or Directory Access Control List with setfacl

The setfacl command is used to add, modify, delete an ACL entry (or entries) or replace the entire Access Control List (ACL) on a file or directory. Here are a few examples.

Replaces the entire ACL via man page

--setfacl -s user:esoft:rwx,user::rwx,group::rw-,mask:r--,other:--- testfile
or its octal equivalent
--setfacl -s user:esoft:7,user::7,group::6,mask:4,other:0 testfile

Before changing ACL
# getfacl testfile
# file: testfile
# owner: root
# group: other
user::rw-
group::r-- #effective:r--
mask:r--
other:r--
# ls -l testfile
-rw-r--r-- 1 root other 0 Sep 4 23:26 testfile

After changing ACL
# setfacl -s user:esoft:rwx,user::rwx,group::rw-,mask:r--,other:--- testfile
# getfacl testfile

# file: testfile
# owner: root
# group: other
user::rwx
user:esoft:rwx #effective:r--
group::rw- #effective:r--
mask:r--
other:---
# ls -l testfile
-rwxr-----+ 1 root other 0 Sep 4 23:27 testfile

Same as above but in octal

# rm testfile
# touch testfile
# ls -l testfile
-rw-r--r-- 1 root other 0 Sep 4 23:30 testfile
# setfacl -s user:esoft:7,user::7,group::6,mask:4,other:0 testfile
# getfacl testfile

# file: testfile
# owner: root
# group: other
user::rwx
user:esoft:rwx #effective:r--
group::rw- #effective:r--
mask:r--
other:---
# ls -l testfile
-rwxr-----+ 1 root other 0 Sep 4 23:32 testfile

#######################################

Change user and mask
# setfacl -m u:esoft:6,m:6 testfile
# getfacl testfile

# file: testfile
# owner: root
# group: other
user::rwx
user:esoft:rw- #effective:rw-
group::rw- #effective:rw-
mask:rw-
other:---

Change group and mask
# setfacl -m g:other:4,m:6 testfile
# getfacl testfile

# file: testfile
# owner: root
# group: other
user::rwx
user:esoft:rw- #effective:rw-
group::rw- #effective:rw-
group:other:r-- #effective:r--
mask:rw-
other:---

Delete ACL
# setfacl -d u:esoft:6 testfile
# getfacl testfile

# file: testfile
# owner: root
# group: other
user::rwx
group::rw- #effective:rw-
group:other:r-- #effective:r--
mask:rw-
other:---

Get ACL of testfile then set (apply) to testfile1
# getfacl testfile | setfacl -f - testfile1

No comments: