FreeKB - Linux Commands setfacl (create update access control entries)
Linux Commands - setfacl (create update access control entries)

The setfacl command can be used to set access control entries (ACE) for users or groups. Access control entries are typically used when two or more users or groups need access to a file or directory, where each user or group will require their own unique permissions. For example, perhaps members of group1 should have read, write, and execute permission to /var/www/html, and members of group2 should have read and execute, but not write permission, to /var/www/html.

 

Configure the disk to use access control lists

In /etc/fstab, add the acl option to the disks you want to have access control entries. In this example, acl is set on the / file system.

/dev/mapper/base-root  /   xfs   acl   0   0

 

Add access control entry

The -m (modify) and g (group) options can be used to set access control entries for a group. In this example, group1 is assigned read, write, and execute permission to /var/www/html, and group2 is assigned read and execute permission to /var/www/html.

~]# setfacl --modify g:group1:rwx /var/www/html
~]# setfacl --modify g:group2:r-x /var/www/html

 

The -R or --recursive option sets the access control entries for every file at and below the specified directory.

~]# setfacl --recursive --modify g:group1:rwx /var/www/html
~]# setfacl --recursive --modify g:group2:r-x /var/www/html

 

The -d option sets default access control entry.

~]# setfacl --default --modify g:group1:rwx /var/www/html
~]# setfacl --default --modify g:group2:r-x /var/www/html

 

Remove access control entry

The -x (remove) and g (group) options can be used to remove access control entries for a group. In this example, the read, write, and execute permission to /var/www/html are removed for group1, and the read and execute permission to /var/www/html are removed for group2.

~]# setfacl -x g:group1:rwx /var/www/html
~]# setfacl -x g:group2:r-x /var/www/html

 

The -b or --remove-all option can be used to remove all access control entries from a file or directory.

~]# setfacl -b /var/www/html

 

User

To add or remove access control entries for a user, instead of using the g (group) option, use the u (user) option.

~]# setfacl --modify u:JohnDoe:rwx /var/www/html
~]# setfacl --modify u:JaneDoe:r-x /var/www/html

 

Viewing access control entries

The getfacl command will display the access control entries for a directory. 

~]# getfacl /var/www/html
# file: /var/www/html
#owner: root
#group: root
user: rwx
user: JohnDoe: rwx
user: JaneDoe: r-x
group: r-x
group: group1: rwx
group: group2: r-x
other: r-x

 

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter fa7b6 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |