UNDERSTANDING THE SUBJECT MATTER
ACL (Access Control List) is an advanced permission mechanism in Linux.
Unlike the basic and regular way of giving permissions to one user that is the owner of a file and one group that is the group owner of a file using the “chmod” command, if you have to give additional permissions to another user or another group on a file without making the user a member of the group, you will have to use ACL to do it.
With ACL, you can give permissions to two or more users and groups that are not owners of the file.
When permission is set on a file or directory using ACL, it displays a “+” sign when a list command is used.
For example, from the screen-shot below, a list command is used on a file that the permission has been set using ACL.
You can see the “+” sign, which indicates that ACL is used on the file.
Using ACL requires that the file-system where permissions will be set is mounted with ACL mount option. File-systems like the ext2, ext3, ext4, Brtfs, etc, are mounted with ACL mount option by default.
However, some file-systems are not mounted with ACL mount option by default. In this case, you will have to remount the file system with ACL mount option before ACL can be used.
To verify if a file-system is mounted witl ACL mount option, use the command,
tune2fs -l <device> |grep "Default mount options:"For example, to verify the file-system on /dev/sdb1, use the command,
[root@lab02 ~]# tune2fs -l /dev/sdb1 |grep "Default mount options:"
Default mount options: user_xattr acl
Going forward, you should know that some old Linux kernel does not support ACL.
When you verify the file system and it is not mounted with ACL option, it can also be a good idea to verify if the kernel supports ACL before mounting the file system with ACL option.
How To Verify If A Linux Kernel Supports ACL
To verify if a Linux kernel is supported with ACL, use the command,
[root@lab02 statistics]# cat /boot/config* |grep -i acl
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
The field “=y” means yes. i.e, the kernel is ACL supported but if you see “n”, then it is not ACL supported.
Having confirmed that a kernel is ACL supported, one can go ahead to mount the file system with ACL mount option if it is not mounted.
However, ACL utilities may not be installed on the system which you will have to before you can mount the file system with ACL option.
For Red Hat or CentOS systems, use the command,
[root@lab02 ~]# yum install nfs4-acl-tools acl libaclFor Debian, Ubuntu and its likes, use the command,
[root@lab02 ~]# apt-get install nfs4-acl-tools acl libaclyou can set the default mount option of a file-system by using the command,
tune2fs -o acl <device>OR
mount -t <file-system-type> -o acl <device> <mount-point>For example, to set the default mount option for the partition, /dev/sdb1, use the command,
[root@lab02 ~]# tune2fs -o acl /dev/sdb1
tune2fs 1.44.6 (5-Mar-2019)OR
[root@lab02 ~]# mount -t ext2 -o acl /dev/sdb1 /dataHowever, this is will not be persistent after reboot. To make it persistent, you will need to add the option in the fstab.
To add it to the fstab, for example, /dev/sdb1, you will need to include the line below in the fstab file,
/dev/sdb1 /data ext4 acl,defaults 1 2You may need to remount the file system in some cases after mounting with ACL mount option.
For example, to remount /dev/sdb1, use the command,
# mount -o remount,acl /dev/sdb1
Moving forward, there are two commands used In managing ACL, they are the getfacl and setfacl
The getfacl is the tool that is used to get an overview of an access control list on a file.
Let’s look at an example of using getfacl command on the file, january
[root@lab02 statistics]# getfacl january
# file: january
# owner: root
# group: root
user::rw-
group::r--
other::r--
From the screen-shot above, you can see that it is also possible to view the permission on a file by using the “getfacl” command, just as when you use the “ls -l” command.
The getfacl command will display the file permissions set with chmod and the file permissions set with ACL
The setfacl is the tool that is used to set or change the access control list on a file. ACL’s in Linux are of two types. The access ACL and the default ACL.
The default ACL can only be effective on a directory.
It is advisable that you set all the permissions you want to set on a file first using the chmod command, before setting permissions using ACL.
Having set the permissions using ACL first, and going back to set the permissions using chmod may cause a disorder of permission settings on a file. Though, it can be corrected, especially when you have to, but why waste precious time and effort if you can avoid it?
Furthermore, setting permission on a directory using ACL most times requires that you use the recursive and the default option.
The current items (files and directories) will inherit the permission that is set when the recursive option is used while the new items (files and directories) that will later be added in a directory will inherit the permission that is set when the default option is used.
For example, if I am to set a read and write permission for “finance” group using ACL on the “tekneed” directory, I will run the two commands below.
- setfacl -R -m g:finance:rw tekneed
- setfacl -m d:g:finance:rw tekneed
To set permission for a user using ACL, you will have to specify the username or the user id as well as the lists of permission
Also, to set permission for a group, you will have to specify the group name or the group-id as well as the lists of permission
Permission can be rwx , rw, rx, wx, r, x, w, -, etc.
To set permission for a user using ACL, you use the command,
setfacl -m u:<user-name>:<permission> <file/directory> Please see “ACTION TIME” for examples
To set Permission for a group using ACL, you use the command,
setfacl -m g:<group-name>:<permission> <file/directory> Please see “ACTION TIME” for examples
To Set Permission For Others Using ACL, use the command,
setfacl -m other:<permission> <file/directory>Please see “ACTION TIME” for examples
To set Permission on a directory recursively for a group or user using ACL
For a group, use the command,
setfacl -R -m g:<group-name>:<permission> <directory> For a user, use the command,
setfacl -R -m u:<group-name>:<permission> <directory> Please see “ACTION TIME” for examples
To set permission for a group or user on a directory using ACL default option.
For a group, use the command,
setfacl -m d:g:<group>:<permission> <directory> For a user, use the command,
setfacl -m d:u:<user>:<permission> <directory> Please see “ACTION TIME” for examples
To remove ACL from a specific user or group,
For a user, use the command,
setfacl -x u:<user> <file/directory>For a group, use the command,
setfacl -x g:<group> <file/directory>Please see “ACTION TIME” for examples
To remove ACL default entries, use the command,
setfacl -k <file/directory>Please see “ACTION TIME” for examples
To remove all ACL entries on a file or directory, you use the command,
setfacl -b <file/directory>Please see “ACTION TIME” for examples
To copy the ACL of one file to another, use the command,
getfacl <file1> | setfacl --set-file=-<file2>Please see “ACTION TIME” for examples
ACTION TIME
How To Set Permission For A user On A File / Directory Using ACL
To give the user tekneed, read and execute permission on the “february_sales” file, do the following steps.
1. verify the current permission on the file,
[root@lab02 statistics]# ls -l february_sales
-rw-r--r--. 1 root HR 54 Feb 5 18:31 february_sales[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
other::r--2. set the permission
[root@lab02 statistics]# setfacl -m u:tekneed:rx february_sales
3. verify the permission has been set
[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
user:tekneed:r-x
group::r--
mask::r-x
other::r--
How To Set Permission For A Group On A File / Directory Using ACL
To give the finance group, read and write permission on the “february_sales” file, do the following steps.
1 verify the current permission on the file,
[root@lab02 statistics]# ls -l february_sales
-rw-r--r--. 1 root HR 54 Feb 5 18:31 february_sales
[root@lab02 statistics]#[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
other::r--
2. set the permission,
[root@lab02 statistics]# setfacl -m g:finance:rw february_sales
[root@lab02 statistics]#
3. Verify the permission has been set
[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
group:finance:rw-
mask::rw-
other::r--
[root@lab02 statistics]#[harry@lab02 statistics]$ ls -l february_sales
-rw-rw-r--+ 1 root HR 26 Feb 5 17:35 february_sales
[harry@lab02 statistics]$
How To Set Permission For Others On A File / Directory Using ACL
To give others, read and write permission on the “february_sales” file, use the command,
[root@lab02 statistics]# setfacl -m other:rw february_sales- Verify the permission has been set.
[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
user:tekneed:---
group::r--
mask::r--
other::rw-
How To Completely Deny Acess For A User Or Group On A File / Directory Using ACL
To completely remove the read, write and execute permission on the “february_sales” file for the user, tekneed, use the command,
[root@lab02 statistics]# setfacl -m u:tekneed:- february_sales- verify
[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
user:tekneed:---
group::r--
mask::r--
other::r--
How To Remove ACL From A Specific Group or User
- To remove all ACL entries from a user, tekneed, use the command,
[root@lab02 statistics]# setfacl -x u:tekneed february_sales- To remove all ACL entries from a group, tekneed, use the command,
[root@lab02 statistics]# setfacl -x g:tekneed february_salesHow To Remove ACL Default Entries From A File Or Directory
To remove the ACL default entries from the statistics file or directory, use the command,
[root@lab02 /]# setfacl -k statisticsHow To Remove All ACL Entries On A File / Directory
To remove all ACL entries from the “february_sales” file, use the command,
[root@lab02 statistics]# setfacl -b february_sales[root@lab02 statistics]# getfacl february_sales
# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
other::r--[root@lab02 statistics]# ls -l february_sales
-rw-r--r--. 1 root HR 26 Feb 5 17:35 february_salesHow To Set Permission For A USer On A Directory Recursively Using ACL
To give the user, tekneed read and write permission on the “statistics” directory recursively, do the following steps. .
1. verify the current permission on the file
[root@lab02 /]# ls -ld statistics/
drwxrw-r-x. 2 root HR 4096 Feb 5 08:39 statistics/
[root@lab02 /]#2. set the permission
[root@lab02 /]# setfacl -R -m u:tekneed:rw statistics
[root@lab02 /]#3. verify the permission has been set by using the “getfacl” command or ls -l
How To Set Permission For A Group On A Directory Recursively Using ACL
To give the finance group read and write permission on the “statistics” directory recursively, do the following steps.
1. verify the current permission on the directory
[root@lab02 /]# ls -ld statistics/
drwxrw-r-x. 2 root HR 4096 Feb 5 08:39 statistics/
[root@lab02 /]#[root@lab02 /]# ls -l statistics/
total 4
-rwxrw----. 1 root HR 54 Feb 5 18:31 february_sales
-rw-r--r--. 1 root finance 0 Feb 4 21:00 january_sales2. set the permission
[root@lab02 /]# setfacl -R -m g:finance:rw statistics
[root@lab02 /]#
3. Verify the permission has been set
[root@lab02 /]# ls -ld statistics/
drwxrw-r-x+ 2 root HR 4096 Feb 5 08:39 statistics/
[root@lab02 /]#[root@lab02 /]# ls -l statistics
total 12
-rwxrw----+ 1 root HR 54 Feb 5 18:31 february_sales
-rw-rw-r--+ 1 root finance 0 Feb 4 21:00 january_salesyou can see from the command above that it is applied recursively.
[root@lab02 /]# getfacl statistics/
# file: statistics/
# owner: root
# group: HR
user::rwx
group::rw-
group:finance:rw-
mask::rw-
other::r-x
How To Set Permission For A Group On A Directory Using ACL Default Option
The default option on a directory will allow the ACL permissions set to take effect on new contents (files and directories) that will later be created. In other words, the new contents that will be created will inherit the permission. The default option is not used recursively.
To give the finance group, read and write permission on the “statistics” directory using the default option, use the command,
[root@lab02 /]# setfacl -m d:g:finance:rw statistics
verify the set permission
[root@lab02 /]# getfacl statistics
# file: statistics/
# owner: root
# group: HR
user::rwx
group::rw-
other::r-x
default:user::rwx
default:group::rw-
default:group:finance:rw-
default:mask::rw-
default:other::r-x
NOTE: The default option will not affect the files that will later be copied in to the directory.
How To Remove All ACL Entries On A Directory Recursively
To remove all ACL entries from the “statistics” directory recursively, use the command,
[root@lab02 /]# setfacl -b -R statisticsVerify
[root@lab02 /]# ls -l statistics/
total 4
-rwxrw----. 1 root HR 54 Feb 5 18:31 february_sales
-rw-r--r--. 1 root finance 0 Feb 4 21:00 january_sales[root@lab02 /]# getfacl statisticsHow To Copy ACL Of One File To Another
To copy the ACL of february_sales file to january_sales file, use the command,
[root@lab02 statistics]# getfacl february_sales | setfacl - -set-file=- january_sales
Your feedback is welcomed. If you love others, you will share with others
hi admin i want to know that your subject material on this link https://tekneed.com/welcome-to-studying-the-rhcsa-8-course-series-for-free/
and premium question package are enough to crack ex200
Hi Vishal,
Yes, It’s enough for you to pass the exam.
Hello David, what will it cost to get the premium package and what are its benefits?
Hello Kelechi,
Please see link: https://tekneed.com/premium-rhcsa-8-exam-practice-questions-answers/