Information Technology Reference
In-Depth Information
Setting ACLs Using setfacl
The
setfacl(1)
command is used to set and modify ACLs. It supports three
command-line arguments:
➤
-d
—Deletes the specified ACL entries
➤
-m
—Adds/changes the specified ACL entries
➤
-s
—Replaces the whole ACL with the specified entries
ACL entries for the standard user and group permissions are specified using the
format
entry
::
permissions
(note the two colons), where
entry
is the keyword
user
or
group
(or the single-letter abbreviations
u
or
g
) and
permissions
is the
appropriate combination of
r
,
w
,
x
, and
-
needed to define the permission.
ACL entries for the standard other permission and the mask used for maxi-
mum permissions use a slightly different syntax. The format is
entry
:
permissions
(note the single colon), where
entry
is the keyword
other
or
mask
(or the single-letter abbreviations
o
or
m
) and
permissions
is the appro-
priate combination of
r
,
w
,
x
, and
-
needed to define the permission.
The following listing shows the
setfacl
command used to set the user
permission to read/write, and to set the group and other permissions to
read-only:
# setfacl -s u::rw-,g::r--,o:r-- file1
ACL entries for other users and groups are specified using the format
entry:id:permissions
, where
entry
is the keyword
user
or
group
(or the
single-letter abbreviations
u
or
g
);
id
is a user name, user ID (UID), group
name, or group ID (GID); and
permissions
is the appropriate combination
of
r
,
w
,
x
, and
-
needed to define the permission.
The following listing shows the
setfacl
command used to add read/write per-
mission for user account guest and read-only permission for group account staff:
# setfacl -m u:guest:rw-,g:staff:r-- file1
In addition to all the previously described ACL entries, additional entries can
be defined for directories. These entries specify the default ACL entries for
files and subdirectories created under the directory. Defaults can be estab-
lished using the same previously described formats by adding
d:
at the begin-
ning of the
entry
field. All of the standard user, group, and other defaults,
along with default mask, must be defined initially at the same time.
For example, to define the default ACL entries for the directory
shlog
, the
following
setfacl
command can be used:
# setfacl -m d:u::rw-,d:g::rw-,d:o:r--,d:m:r-- shlog