Category Archives: ACLs

Part 2: linux Default ACLs

Default ACLs can only be applied to directories and their subsequent subdirs and files. Permissions apply recursively to all subdirectories and files within them, however default ACL permissions only apply to files and subdirectories created AFTER the default ACL is applied. Existing files and subdirectories do not automatically inherit permissions from the default ACL.

The below example shows the modification of directory permissions with a default ACL for members of the test group named, colab_group:

We start by creating a test directory with the default permissions

$ mkdir testdir
$ ls -ld testdir
drwxrwxr-x. 2 user1 user1 6 Mar 20 17:08 testdir

The test users are members of the group “colab_group”

$ getent group | grep colab
colab_group:x:9003:user3,user4,user1

Create a test file and view permissions before adding default ACL permissions:

[user1@server1 testdir]$ pwd
/tmp/testdir

[user1@server1 testdir]$ ls -l
total 0
-rw-rw-r--. 1 user1 user1 0 Mar 20 17:18 1_test_perms

# current file permissions
$ getfacl 1_test_perms 
# file: 1_test_perms
# owner: user1
# group: user1
user::rw-
group::rw-
other::r--

# current sub directory permissions
$ getfacl 1_subdir/
# file: 1_subdir/
# owner: user1
# group: user1
user::rwx
group::rwx
other::r-x

# current parent directory permissions
$ getfacl testdir
# file: testdir
# owner: user1
# group: user1
user::rwx
group::rwx
other::r-x

Apply the default ACL permissions with rwx (7) access to the parent testdir:

$ setfacl -m d:g:colab_group:rwx testdir
$ getfacl testdir
# file: testdir
# owner: user1
# group: user1
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:colab_group:rwx
default:mask::rwx
default:other::r-x

After the default ACL is applied to the parent directory, we verify that the plus symbol ‘+’ is seen in the directory permissions listing, indicating that extended permissions exist and an ACL is applied:

$ ls -ld testdir
drwxrwxr-x+ 3 user1 user1 42 Mar 20 17:23 testdir

Checking the permissions of the existing file and sub directory shows that the permissions have not changed:

$ ls -l
total 0
drwxrwxr-x. 2 user1 user1 6 Mar 20 17:23 1_subdir
-rw-rw-r--. 1 user1 user1 0 Mar 20 17:18 1_test_perms

Creating another file and directory now that the default ACL has been applied to the parent directory shows the extended permissions/default ACL are now applied as these have been created after the ACL was applied to the parent directory and new files and directories are now inheriting the ACL permissions.

The file 2_test_perms and the directory 2_subdir now show they have extended permissions applied:

$ ls -l
total 0
drwxrwxr-x. 2 user1 user1 6 Mar 20 17:23 1_subdir
-rw-rw-r--. 1 user1 user1 0 Mar 20 17:18 1_test_perms
drwxrwxr-x+ 2 user1 user1 6 Mar 20 17:32 2_subdir
-rw-rw-r--+ 1 user1 user1 0 Mar 20 17:31 2_test_perms

Swapping to another user3 who is a member of the group “colab_group” we can see user3 has permissions to modify or create files with the extended permissions but no rights to modify the initial files created before the default ACL was applied to the parent directory

$ whoami
user3

$ pwd
/tmp/testdir

$ ls -l
total 0
drwxrwxr-x. 2 user1 user1 6 Mar 21 08:23 1_subdir
-rw-rw-r--. 1 user1 user1 0 Mar 21 08:18 1_test_perms
drwxrwxr-x+ 2 user1 user1 6 Mar 21 08:32 2_subdir
-rw-rw-r--+ 1 user1 user1 0 Mar 21 08:31 2_test_perms

# user 3 is allowed to edit the test file
$ cat 2_test_perms 
user3 can edit teh test file

# while user 3 CAN edit the 2_test_perms file (with the extended permissions) user3 CANNOT remove the file because user3 is not the owner
$ ls -l 2_test_perms
-rw-rw-r--+ 1 user1 user1 29 Mar 21 09:04 2_test_perms

$ rm 2_test_perms 
rm: cannot remove '2_test_perms': Permission denied

$ getfacl 2_test_perms 
# file: 2_test_perms
# owner: user1
# group: user1
user::rw-
group::rwx			#effective:rw-
group:colab_group:rwx		#effective:rw-
mask::rw-
other::r--

# user 3 has permissions to enter and create files in the sub dir with the extended permissions assigned
$ pwd
/tmp/testdir/2_subdir

$ touch test_subdir_file1
[user3@server1 2_subdir]$ ls -l
total 0
-rw-rw-r--+ 1 user3 user3 0 Mar 21 09:05 test_subdir_file1

# user 3 can enter the subdir WITHOUT extended permissions assigned but CANNOT create files
$ cd 1_subdir/

$ pwd
/tmp/testdir/1_subdir

$ touch test_subdir_file2
touch: cannot touch 'test_subdir_file2': Permission denied


This post illustrates how using default ACL applied to a directory can be used to give group members access to create and modify files with a directory and subdirectories.

Facebooktwitterlinkedinby feather

Part1: linux Access ACLs

ACLs are extended permissions for users or groups in addition to the normal ugo/rwx file permissions. These can be assigned to files (access ACLs) and directories (default ACLs).

ACLs changes can be applied with the setfacl command or viewed with the getfacl command.

There are a number of arguments that can be used with the setfacl command, a few useful ones can be seen in the table below:

-madd to or change (modify) the current ACL
-xremoves a specific ACL entry eg: removing all permissions for a user
-bremove all the currently configured ACLs (careful with this one)

Example: modifying an access ACL:

# initial test file with no extended permissions

$ getfacl -c testfile 
user::rw-
group::rw-
other::r--

Add user1 to the ACL with read, write and execute (7) permissions

$ setfacl -m u:user1:7 testfile 
$ getfacl -c testfile 
user::rw-
user:user1:rwx
group::rw-
mask::rwx
other::r--

Add user3 to the ACL with read permissions 6 (r–)

$ setfacl -m u:user3:r testfile 
$ getfacl -c testfile 
user::rw-
user:user1:rwx
user:user3:r--
group::rw-
mask::rwx
other::r--

Remove user1 from the ACL altogether

$ setfacl -x u:user1 testfile 
$ getfacl -c testfile 
user::rw-
user:user3:r--
group::rw-
mask::rw-
other::r--

Remove all ACL entries from file

$ setfacl -b testfile 
$ getfacl testfile 
user::rw-
group::rw-
other::r--

Facebooktwitterlinkedinby feather