Bootstrap FreeKB - Linux Commands - setfacl (create update access control entries)
Linux Commands - setfacl (create update access control entries)

Updated:   |  Linux Commands articles

Let's say you are getting Permission denied when attempting to create a file in a directory.

[john.doe@server1 ~]$ touch /tmp/foo/bar.txt
touch: cannot touch '/tmp/foo/bar.txt': Permission denied

 

Notice in this example that user john.doe is attempting to create the bar.txt file in the /tmp/foo directory.  The /tmp/foo directory is owned by root and only root has the "w" (write) permission.

[john.doe@server1 ~]$ ls -ld /tmp/foo
drwxr-xr-x. 2 root root 6 Jan  3 21:36 /tmp/foo

 

One option would be to grant the "w" (write) permssion to "other".

[root@server1 ~] chmod o+w /tmp/foo

 

Or to update the /tmp/foo directory to be owned by a group and grant the group the "w" (write) permission and add john.doe to the group.

[root@server1 ~] chgrp admins /tmp/foo
[root@server1 ~] chmod g+w /tmp/foo
[root@server1 ~] usermod -aG admins john.doe

 

If neither of these options work, you may be able to use the setfacl command to set access control entries (ACE) or the access control list (ACL) for users, groups, and other. Access control entries are typically used when two or more user/group/other need access to a file or directory, where each user/group/other will require their own unique permissions. For example, perhaps members of group1 should have read, write, and execute permission to /var/www/html, and members of group2 should have read and execute, but not write permission, to /var/www/html.

In /etc/fstab, the acl option will need to be set for the file systems you want to be able to use access control entries (setfacl and getfacl).

/dev/mapper/base-root  /   xfs   acl   0   0

 

Before using the setfacl command to modify ACL for /tmp/foo, let's use the getfacl command to display the ACL for /tmp/foo. The following is what is typically returned, because usually no ACL have been set.

[root@server1 ~]# getfacl /tmp/foo
getfacl: Removing leading '/' from absolute path names
# file: tmp/foo
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

 

The -m or --modify and u or user options can be used to set access control entries for a user. In this example, john.doe is given rwx (read, write, execute) permission to the /tmp/foo directory.

setfacl --modify user:john.doe:rwx /tmp/foo

 

Or, if you do not specify a user, this will apply to any user.

setfacl --modify user::rwx /tmp/foo

 

The g or group option can be used to set access control entries for a group. In this example, members of the admins group is given rwx (read, write, execute) permission to the /tmp/foo directory.

setfacl --modify group:admins:rwx /tmp/foo

 

Or, if you do not specify a group, this will apply to any group.

setfacl --modify user::rwx /tmp/foo

 

The o or other option can be used to set access control entries for other. In this example, members of other are given r (read) permission to the /tmp/foo directory.

setfacl --modify other::r /tmp/foo

 


One liner

Here is an example of how to issue this command as a one liner.

setfacl --default --modify user::rwx,group::rwx,other::--- /var/www/html

 


Recursive

The -R or --recursive option sets the access control entries for every file at and below the specified directory.

setfacl --recursive --modify group:admins:rwx /var/www/html

 


Default

The -d or --default option sets default access control entry.

setfacl --default --modify group:admins:rwx /var/www/html

 


Remove access control entry

The -x or --remove option can be used to remove access control entries.

setfacl --remove group:admins /var/www/html

 

The -b or --remove-all option can be used to remove all access control entries from a file or directory.

setfacl -b /var/www/html

 


Viewing access control entries

The getfacl command will display the access control entries for a directory. 

~]# getfacl /var/www/html
# file: /var/www/html
#owner: root
#group: root
user: rwx
user: JohnDoe: rwx
user: JaneDoe: r-x
group: r-x
group: group1: rwx
group: group2: r-x
other: r-x

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 824725 in the box below so that we can be sure you are a human.