ACL Command in Linux with Examples
ACL command Introduction:
ACL Command (Access Control List) allows you to give permissions for any user or group to any disc resource. It also provides additional and flexible permission for file systems. Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. These permission sets cannot be configured for different users.
Syntax
To set file access control lists
setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [u|g|o:u|gname:perms] filename
To view file access control lists
getfacl [-aceEsRLPtpndvh] filename
There are two types of ACL:
Default ACL
Default ACL is used to set access control list on a specific directory
Access ACL
Access ACL is used to set permissions on any file or directory.
Default ACL
Syntax
setfacl -m [d:o:perms] filename
Example
First create a new directory
[root@linuxhelp Desktop]# mkdir dir1
View the default ACL use ' getfacl' command
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
setfacl command is used to set a new default Access Control List for the directory
Example
[root@linuxhelp Desktop]# setfacl -Rm d:o:r dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r&mdash
‘ -R’ is used to set default permission for the directory and it is changed to read permission.
Access ACL
Setting Access Control List to a group
This command is used to set ACL rules only for the group. First create a group and users to that group
[root@linuxhelp Desktop]# groupadd mygroup
[root@linuxhelp Desktop]# gpasswd -a user1 mygroup
[root@linuxhelp Desktop]# gpasswd -a user2 mygroup
Now create a new directory and view the default ACL
[root@linuxhelp Desktop]# mkdir dir1 [root@linuxhelp Desktop]# getfacl dir1/ # file: dir1/ # owner: root # group: root user::rwx group::r-x other::r-x [root@linuxhelp Desktop]# setfacl -m g:mygroup:rwx dir1/
Example
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
group:mygroup:rwx
mask::rwx
other::r-x
The rwx permission is applied to the group ' mygroup' .
Setting Access Control List to an user
This command is only to set acl rule only for a single user. First let us check the default ACL of the directory using ' getfacl' command
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
Example
[root@linuxhelp Desktop]# setfacl -m u:user1:rwx dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
user:user1:rwx
group::r-x
mask::rwx
other::r-x
Setting Access Control List to others
This command is used to set acl rules to only others. First let us check the default Access Control List of the directory using ' getfacl' command.
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
Example
[root@linuxhelp Desktop]# setfacl -m o:r dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r--
Removal of unwanted Access Control List from the directory
Using this command we can remove only the unwanted acl rule. First let us check the Access Control List of the directory dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
user:user2:rwx
user:user1:rwx
group::r-x
mask::rwx
other::r--
Here we can see the directory dir1/ has Access Control List for two user' s user1 and user2. Now we are removing the Access Control List for the user user1 only
Example
[root@linuxhelp Desktop]# setfacl -x u:user1 dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::r--
Removal of all Access Control List from the directory
Now we are going to remove the entire acl rule using setfacl command. View the Access Control List of the directory dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
user:user2:rwx
user:user1:rwx
group::r-x
mask::rwx
other::r--
In the above Access Control List users user1 and user2 has rwx permissions and now we are going to remove all Access Control List of the directory.
Example
[root@linuxhelp Desktop]# setfacl -b dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r--
In the above output we can see that the both special user permissions of the directory have been removed.
Applying multiple Access Control List in a single command
Usually when we want to apply more than one acl rule, this command may be used.
Example
[root@linuxhelp Desktop]# setfacl -mu:user1:rwx,g:mygroup:rwx,u:user3:r dir1/
[root@linuxhelp Desktop]# getfacl dir1/
# file: dir1/
# owner: user1
# group: user1
user::rwx
user:user1:rwx
user:user3:r--
group::rwx
group:mygroup:rwx
mask::rwx
other::r-x
Copying the acl rule from one file to other
This command is useful in case where the same access control list rule has to be applied for many files or directories. Using this command we can copy the acl rule of a file or a directory to others.
Example
[root@linuxhelp Desktop]# getfacl dir1/ # file: dir1/ # owner: user1 # group: user1 user::rwx user:user1:rwx group::rwx group:mygroup:rwx mask::rwx other::r-x [root@linuxhelp Desktop]# getfacl dir1/ > copy.txt [root@linuxhelp Desktop]# setfacl -M copy.txt dir2/ [root@linuxhelp Desktop]# getfacl dir2/ # file: dir2/ # owner: user1 # group: user1 user::rwx user:user1:rwx group::rwx group:mygroup:rwx mask::rwx other::r-x