|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
| Operations | Recommended Papers | |||
getfacl |
setfacl |
Humor | Etc |
There just two main commands to work with ACLs:
Each ACL entry consists of the following fields, which are separated by colons:
<entry-type>:[<UID>] | [<GID>]:<perms>
Where
You can also set regular permissions:
You can determine if a file has an ACL in one of two ways:
When you use the ls -l command, any file that has an ACL displays a plus (+) sign to the right of the mode field.
NOTE: If you define an ACL for a file and do not specify any additional users or groups, the plus sign is not displayed to the right of the mode field even though the file has a basic ACL. The plus sign is displayed only if additional users or groups are included in the ACL.
When you use the getfacl <filename> command with no options,
the ACL information for the file is displayed.
NOTE: You can use the getfacl command to display permissions on any UFS file or directory in the same format. The file does not need to have an ACL.
For comparison, the following example shows the output of the ls -l and getfacl commands for the file bar, which does not have an ACL.
castle% ls -l bar -rwxrw— 1 winsor staff 0 Oct 3 14:22 bar castle% getfacl bar # file: bar # owner: winsor # group: staff user::rwx group::rw- #effective:rw- mask:rw- other:— castle%
Use the setfacl command to set ACL permissions on a file. You can set the permissions for a file or a group of files from a command line or by listing the permissions in a file and using the file as an argument to the setfacl command. You can specify the permissions with the following syntax:
u[ser]::<perm> u[ser]:uid:<perm> g[roup]::<perm> g[roup]:gid:<perm> m[ask]:<perm> o[ther]:<perm> d[efault]:u[ser]::<perm> d[efault]:u[ser]:uid:<perm> d[efault]:g[roup]::<perm> d[efault]:g[roup]:gid:<perm> d[efault]:m[ask]:<perm> d[efault]:o[ther]:<perm>
NOTE: You can use either octal or symbolic values to set permissions.
On a command line, use a comma to separate each permission statement. In an ACL file, put each statement on a separate line. The statements do not need to be in any particular order.
To set ACL permissions from a command line, you must specify at least the basic set of user, group, other, and mask permissions. Type the following command to set ACL permissions: setfacl -s u::<perm>,g::<perm>,o:<perm>, m:<perm>, [u:<UID>:<perm>], [g:<GID>:<perm>
You can set users by using either their username or their UID number. Note that before you can use the username argument, the user account must already exist in the Passwd database or in the local /etc/passwd file. You can assign permissions to any UID by number, regardless of whether a user account exists.
In the same way, you can set group names by using either the group name or the GID number.
The following example assigns all of the permissions to the user, restricts group permissions to read-only, and denies permissions to other. The default mask sets read-write permissions, and user ray is assigned read-write permissions to the file foo.
First, take a look at the current permissions for the file:
castle% ls -l foo -rw-rw-rw- 1 winsor staff 0 Oct 3 14:22 foo
Then set permissions for user, group, owner, and the mask and add one user to the ACL:
castle% setfacl -s u::rwx,g::r—,o:—,mask:rw-,u:ray:rw- foo
Using octal values, as shown in the following example, gives you the same result:
castle% setfacl -s u::7,g::4,o:0,mask:6,u:ray:6 foo
Next, verify that the permissions have been set and that the file has an ACL:
castle% ls -l foo -rwxrw— + 1 winsor staff 0 Oct 3 14:22 foo
As you can see, the permissions for the file are changed and the plus sign after the permission field shows that the file has an ACL. Last, use the getfacl command to verify that everything has been set correctly:
castle% getfacl foo # file: foo # owner: winsor # group: staff user::rwx user:ray:rw- #effective:rw- group::rw- #effective:rw- mask:rw- other:— castle%
The getfacl command always displays ACL permissions symbolically, regardless of how you specify the values from the command line.
You can create an ACL configuration file that contains a list of the permissions you want to set and then use that filename as an argument to the setfacl -s command.
NOTE: You can use a configuration file only with the -s option to the setfacl command.
Use the following steps to set up the ACL configuration file:
NOTE: If you make typographical errors in the configuration file, the command might return a prompt without displaying any error messages. If you make syntax errors, the setfacl command might display an error message. Be sure to use the getfacl command to check that the permissions are set properly.
In the following example, the owner has rwx permissions, group has rw-, other has —, and the mask is rw-. Three users with different permissions are also granted access to the file. The acl_file (named anything) contains the following access list:
u::rwx g::rw- o:— m:rw- u:ray:rwx u:des:rw- u:rob:r—
Once you have set up the ACL for the file named anything, you can use the setfacl -f option to assign those same permissions to one more file. In the following example, the file named anything is used as the argument to the -f option to change ACLs for the files foo and bar so that they match the file anything:
castle% setfacl -f anything foo bar castle% getfacl foo bar # file: foo # owner: winsor # group: staff user::rwx user:ray:rwx #effective:rwx user:des:rw- #effective:rw- user:rob:r— #effective:r— group::rw- #effective:rw- mask:rw- other:— # file: bar # owner: winsor # group: staff user::rwx user:ray:rwx #effective:rwx user:des:rw- #effective:rw- user:rob:r— #effective:r— group::rw- #effective:rw- mask:rw- other:— castle%
You can add and modify ACL permissions for a file that already has an ACL or for any existing UFS file or directory by using the setfacl -m command. Arguments to the setfacl -m command use the same syntax and structure as arguments to the setfacl -s command.
Because each file already has a default owner, group, other, and mask setting, you can use the setfacl -m command on any UFS file without first using the setfacl -s command to specify an owner, group, other, or mask setting. If the file already has the permissions you want to use, you can simply use the setfacl -m command to modify (and create) the ACL for any file or directory.
When you use the -m option, if an entry already exists for a specified UID or GID, the permissions you specify replace the current permissions. If an entry does not exist, it is created.
Type the following syntax to add and modify permissions for a file or files and press Return:
setfacl -m <acl_entry_list><filename1> [<filename2>] [<filename3>]
In the following example, permissions for user ray are modified from rwx to rw- for the file foo.
castle% setfacl -m u:ray:rw- foo castle% getfacl foo # file: foo # owner: winsor # group: staff user::rw- user:ray:rw- #effective:rw- group::rw- #effective:rw- mask:rw- other:rw- castle%
Use the setfacl -d command to delete an ACL entry. To delete the entry, you can specify the entry type and the UID or GID. You do not need to include the permissions as part of the argument to the -d option.
Type the following syntax to delete an ACL entry and then press Return:
setfacl -d<entry_type>:<UID> | <GID> <filename1> [<filename2>] [<filename3>]
In the following example, user ray is deleted from the ACL of the file foo.
castle% setfacl -d u:ray foo castle% getfacl usage: getfacl [-ad] file ... castle% getfacl foo # file: foo # owner: winsor # group: staff user::rw- group::rw- #effective:rw- mask:rw- other:rw- castle%
You can copy ACL file permissions from one file to another without specifying them on the command line by piping the output of getfacl <filename> to another file by typing the following syntax and pressing Return:
getfacl <filename1> | setfacl -f - <filename2>
In the following example, the ACL for file foo is used as the template for the ACL for file bar.
First, verify that the files have different ACL permissions:
castle% getfacl foo bar # file: foo # owner: winsor # group: staff user::rw- user:ray:rwx #effective:rw- group::rw- #effective:rw- mask:rw- other:rw- # file: bar # owner: winsor # group: staff user::rw- group::rw- #effective:rw- mask:rw- other:rw-
Then list the ACL using the getfacl command and pipe the output to the setfacl -f command. The dash (-) tells the setfacl command to use the output from the file specified for the getfacl command as input to the second file.
castle% getfacl foo | setfacl -f - bar
Finally, use the getfacl command to verify that both files now have the same ACL permissions:
castle% getfacl foo bar # file: foo # owner: winsor # group: staff user::rw- user:ray:rwx #effective:rw- group::rw- #effective:rw- mask:rw- other:rw- # file: bar # owner: winsor # group: staff user::rw- user:ray:rwx #effective:rw- group::rw- #effective:rw- mask:rw- other:rw- castle%
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008