The setfacl command can be used to set access control entries (ACE) for users, groups, and other. Access control entries are typically used when two or more user/group/other need access to a file or directory, where each user/group/other will require their own unique permissions. For example, perhaps members of group1 should have read, write, and execute permission to /var/www/html, and members of group2 should have read and execute, but not write permission, to /var/www/html.
Configure the disk to use access control lists
In /etc/fstab, add the acl option to the disks you want to have access control entries. In this example, acl is set on the / file system.
/dev/mapper/base-root / xfs acl 0 0
Set access control entry for user, group, other
The -m or --modify and u or user options can be used to set access control entries for a user. In this example, john.doe is given rwx (read, write, execute) permission to the /var/www/html directory.
setfacl --modify user:john.doe:rwx /var/www/html
The g or group option can be used to set access control entries for a group. In this example, members of the admins group is given rwx (read, write, execute) permission to the /var/www/html directory.
setfacl --modify group:admins:rwx /var/www/html
The o or other option can be used to set access control entries for other. In this example, members of the admins group is given r (read) permission to the /var/www/html directory.
setfacl --modify group:admins:r /var/www/html
Recursive
The -R or --recursive option sets the access control entries for every file at and below the specified directory.
setfacl --recursive --modify group:admins:rwx /var/www/html
Default
The -d or --default option sets default access control entry.
setfacl --default --modify group:admins:rwx /var/www/html
Remove access control entry
The -x (remove) option can be used to remove access control entries.
setfacl -x group:admins:rwx /var/www/html
The -b or --remove-all option can be used to remove all access control entries from a file or directory.
setfacl -b /var/www/html
Viewing access control entries
The getfacl command will display the access control entries for a directory.
~]# getfacl /var/www/html
# file: /var/www/html
#owner: root
#group: root
user: rwx
user: JohnDoe: rwx
user: JaneDoe: r-x
group: r-x
group: group1: rwx
group: group2: r-x
other: r-x