UNIX type systems use the octal file permission model, that is limited in terms of setting access permissions for specific users and groups. By default there are only three attributes to be set on files and directories: for the owner, for the owner group and everyone else can have read, write and execute permissions allowed or denied. For example, here is Bob who has a file with his favorite recipes, and he has the below permissions set on the file:
-rw-r----- 1 Bob WholeOffice 20 Apr 26 09:07 FavoriteRecipes.txt
Let's check the permissions on the file. Bob is the owner so and he has read-write permissions on the file. The owner group is WholeOffice, everyone who is a member of that group can read the file, but cannot write it. Bob asked Alice to add her excellent goulash recipe to the file. Now, Alice is a member of the WholeOffice group but, so we could give the WholeOffice group write permissions on the file, but Bob wants only Alice to edit the file, he doesn't want anyone else to touch his recipes. What can we do? File access control lists to the rescue!
Before You Begin
First of all we need to make sure that the acl software package is installed on the system. In the latest versions of linux distributions the acl package is installed by default, and enabled when a filesystem is mounted on the system, but check before you begin.
# Ubuntu and Debian
apt-get install acl
# RHEL, Centos, Fedora yum
install acl
Also, acl used to be not enabled on ext4 file systems when mounted with default settings. You can verify if it enabled on yours with the tun2fs command.
# Check if acl is added by default at mount
root@linux:/home# tune2fs -l /dev/sdb1 | grep "Default mount options"
Default mount options: user_xattr acl
Set granular access rights
We simply give Alice write permissions on the file with the following simple command
setfacl -m u:Alice:rw /home/Bob/FavoriteRecipes.txt
We use -m to modify the acl on the file, giving u (user) Alice w (write) permissions.
-rw-rw----+ 1 Bob WholeOffice 20 Apr 26 09:07 FavoriteRecipes.txt
As a result, when listing the file we see a "+" sign after the permission bits, that means granular access permissions are set.
The getfacl command shows us all the set permissions. Note that if a granular entry exists for Alice that will overwrite her default UGO permissions, meaning although she is a member of the WholeOffice group - so she should have read access already - if we don't specify "rw" in the setfacl command, only using "w", she won;'t be able to read the file. Alice can now freely edit the recipes!
Default ACL permissions (inheritance)
Elaborating on the previous example, Bob wants Alice to have write permissions on all the new files he will create in his home folder. This case we can use the -d (default) switch with setfacl, and setting these default permissions on his home directory in this case.
setfacl -d -m u:Alice:rw /home/Bob
After creating a new file in will inherit the default permissions.
Comments