Linux Commands - setfacl (create update access control entries)

The setfacl command can be used to set access control entries (ACE) for users, groups, and other. Access control entries are typically used when two or more user/group/other need access to a file or directory, where each user/group/other will require their own unique permissions. For example, perhaps members of group1 should have read, write, and execute permission to /var/www/html, and members of group2 should have read and execute, but not write permission, to /var/www/html.

 


Configure the disk to use access control lists

In /etc/fstab, add the acl option to the disks you want to have access control entries. In this example, acl is set on the / file system.

/dev/mapper/base-root  /   xfs   acl   0   0

 


Set access control entry for user, group, other

The -m or --modify and u or user options can be used to set access control entries for a user. In this example, john.doe is given rwx (read, write, execute) permission to the /var/www/html directory.

setfacl --modify user:john.doe:rwx /var/www/html

 

The g or group option can be used to set access control entries for a group. In this example, members of the admins group is given rwx (read, write, execute) permission to the /var/www/html directory.

setfacl --modify group:admins:rwx /var/www/html

 

The o or other option can be used to set access control entries for other. In this example, members of the admins group is given r (read) permission to the /var/www/html directory.

setfacl --modify group:admins:r /var/www/html

 


Recursive

The -R or --recursive option sets the access control entries for every file at and below the specified directory.

setfacl --recursive --modify group:admins:rwx /var/www/html

 


Default

The -d or --default option sets default access control entry.

setfacl --default --modify group:admins:rwx /var/www/html

 


Remove access control entry

The -x (remove) option can be used to remove access control entries.

setfacl -x group:admins:rwx /var/www/html

 

The -b or --remove-all option can be used to remove all access control entries from a file or directory.

setfacl -b /var/www/html

 


Viewing access control entries

The getfacl command will display the access control entries for a directory. 

~]# getfacl /var/www/html
# file: /var/www/html
#owner: root
#group: root
user: rwx
user: JohnDoe: rwx
user: JaneDoe: r-x
group: r-x
group: group1: rwx
group: group2: r-x
other: r-x

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 377b7 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |