Setting Filesystem ACL: Add A New Resource
Setting Filesystem ACL: Add A New Resource
The first command shown above will create a directory with read, write and execute rights for root. The second
command sets the same permissions for all users that belong to the manager group.
Whenever the root user or any user of the manager group creates files and directories, they will will inherit the
access attributes.
View permissions
If you need to check access rights to a directory, you can either do it from the console or use the Dolphin file
manager, if you are running Calculate Linux Desktop (KDE edition).
To view permissions in console mode, execute:
getfacl Manager
# file: \320\234\320\265\320\275\320\265\320\264\320\266\320\265\321\200/
# owner: root
# group: root
user::rwx
group::---
group:manager:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:manager:rwx
default:mask::rwx
default:other::---
In Dolphin, right-click on the file/directory, select the Permissions tab, then press the Advanced Permissions
button. Enlarge the window to see all the attributes.
Manage permissions
Use setfacl to manage permissions.
To modify an existing rule or add a new one, use the -m parameter, as shown below.
-m user:[user_name]:permissions[,user:user_name:permissions]
-m group:[group_name]:permissions[,group:group_name:permissions]
If the user option is omitted, permissions will be set for the file owner.
If the group option is omitted, permissions will be set for the group that owns the file.
Example
Granting the users john and peter with the read/write access rights to the file secretinfo:
Granting the group manager with the read/execute access rights to the file runit:
Default permissions
For directories, you can set ACL rights that will be assigned by defaults to files and directories created inside it. To do
so, use the default identificator or the -d parameter. However, the default permissions will not be applied to the
first directory.
Example
Setting the read/write permissions to all files and directories created in managerdata, for the user john:
or
Both commands have a limitation that manifests itself when you create new files or directories. While in the first
case, the peter user will be granted the execute right to all the newly created files in folder and its subdirectories,
in the second case the user will not be able to read the new directories.
Remove permissions
To remove an access rule for a user or a group, use the -x parameter.
Example
Removing access to the secretfile file for the user john:
Removing access to all files and directories in folder for the user peter:
Copy ACL
If you need to assign ACL to a file analagous to some other file, use the following command:
targetfile will thus have the same permissions as basefile. The M parameter does that; it allows you to set
permissions from a file (or a standard input stream, ).
Effective mask
Effective masking is used to restrict action(s) for all users and groups, that are defined in ACL. It means, for example,
that you can prevent all users from writing to a file by setting the effective mask r-x.
Example
Sometimes, the effective mask is calculated automatically (for instance, when you run chmod, as well as when you
create a file, because the umask permission is set). To initialize a mask, set it to rwx.
1. If the user is the file owner, the owner's permissions are applied.
2. User-specific rights to this file are applied.
3. Access is granted, if the user belongs to at least one group that has access to it.
4. If the user does not belong to any group defined in ACL, the other permissions are applied.