Access control lists (ACLs) may be used in multi-user environments to allow granular joint access to file management without allowing access by all users on the account. ACLs can be established either by the owner of the file or account admin using Beacon.
ACLs come in two forms, an active entry and default. Active are actively applied to the file or directory whereas default ACL entries are applied on directories to files created in the future within that directory.
Using setfacl
ACLs may be set from the terminal using setfacl on all v5+ platforms. setfacl may only be applied on files owned by the current user. For files owned by another user, use file_set_acls in Beacon (below) or take ownership of the files first using file_chown in Beacon or chown in sudo.
Syntax to set an ACL entry is setfacl -m [d:]USERNAME:PERMISSIONS FILE where:
d:is an optional specifier to apply the ACLs as default ACLs rather than active ACLs- USERNAME is the user on the account to apply these ACLs to
- PERMISSIONS is an octal bitmask between 0 and 7 or a collection of r,w,x representing read/write/execute permissions respectively
- The -m … command may be repeated an infinite number of times to apply new rules to other users
- -R may be specified to apply the rules recursively
Simple usage
$ setfacl -m user:tom:7 newdata.zip
$ getfacl newdata.zip
# file: newdata.zip
# owner: myadmin
# group: myadmin
user::rw-
user:tom:rwx
group::r--
mask::rwx
other::r--
More examples
- Granting an additional user read access
setfacl -m u:lisa:r file - Revoking write access from all groups and all named users (using the effective rights mask)
setfacl -m m::rx file - Removing a named group entry from a file’s ACL
setfacl -x g:staff file - Copying the ACL of one file to another
getfacl file1 | setfacl --set-file=- file2 - Copying the access ACL into the Default ACL
getfacl --access dir | setfacl -d -M- dir
Further reading
Check out the man page on both setfacl and getfacl
Using Beacon
Beacon provides an alternative interface to ACLs that can run from using file_set_acls and file_get_acls. ACLs set via Beacon override traditional discretionary access checks when applied as the primary account holder; this means that as the primary user, you can alter any ACL on any file whereas using setfacl from the terminal requires that the file you are adjusting be owned by you.
$ beacon eval file_set_acls /var/www/html redline 7
1
$ getfacl /var/www/html
getfacl: Removing leading '/' from absolute path names
# file: var/www/html
# owner: myadmin
# group: myadmin
user::rwx
user:redline:rwx
group::r-x
mask::rwx
other::r-xTo set default ACLs, supply a third parameter: default:1 and to apply recursively, recursive:1
$ beacon eval file_set_acls /var/www/html/test redline 7 [default:1,recursive:1]
1
$ getfacl /var/www/html/test/foo
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/test/foo
# owner: myadmin
# group: myadmin
# flags: -s-
user::rwx
user:redline:rwx #effective:r-x
group::rwx #effective:r-x
mask::r-x
other::--x
default:user::rwx
default:user:redline:rwx
default:group::rwx
default:mask::rwx
default:other::--x
To clear an ACL entry for a specific user, do not supply a permission parameter:
$ beacon eval file_set_acls /var/www/html/test redline
$ getfacl /var/www/html/test/foo
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/test/foo
# owner: myadmin
# group: myadmin
# flags: -s-
user::rwx
group::rwx #effective:r-x
mask::r-x
other::--x
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::--xLastly, to mix and match users:
$ beacon eval file_set_acls /var/www/html/test [redline:7,apache:7]
1
$ getfacl /var/www/html/test
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/test
# owner: myadmin
# group: myadmin
user::rwx
user:apache:rwx
user:redline:rwx
group::r-x
mask::rwx
other::r-x