Setting Filesystem ACL http://www.calculate-linux.org/main/en/setting_fil...

Calculate Linux Documentation » Server Configuration »

Need Help? Ask in IRC Channel

5. Setting filesystem ACL

To create permissions to files on your Samba server, you should use ACL (Access Control List). ACL allows you to set
permissions for groups or final users.
The standard commands for working with ACL, setfacl and getfacl, are well detailed in the manual, so we would
rather stick to examples.
After configuring the Samba server, a path to the common mounting point will be created, /var/calculate
/server-data/samba/share.
Note: Make sure the filesystem on the disk that stores this directory supports ACL. Do not forget to specify _acl as a
mounting option (not needed for XFS)._

Add a new resource

Suppose we had two groups, manager and logist, as well as two users, john and peter.
Let us create the Manager directory, which all users, belonging to the group manager, will be allowed to read and
write:

mkdir -m 700 Manager

setfacl -m d:g:manager:rwx,g:manager:rwx Manager

The first command shown above will create a directory with read, write and execute rights for root. The second
command sets the same permissions for all users that belong to the manager group.
Whenever the root user or any user of the manager group creates files and directories, they will will inherit the
access attributes.

View permissions
If you need to check access rights to a directory, you can either do it from the console or use the Dolphin file
manager, if you are running Calculate Linux Desktop (KDE edition).
To view permissions in console mode, execute:

getfacl Manager

The program will return the following:

# file: \320\234\320\265\320\275\320\265\320\264\320\266\320\265\321\200/
# owner: root
# group: root
user::rwx
group::---
group:manager:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:manager:rwx
default:mask::rwx
default:other::---

1 of 3 Friday 03 April 2015 08:20 PM

Setting Filesystem ACL http://www.calculate-linux.org/main/en/setting_fil...

In Dolphin, right-click on the file/directory, select the Permissions tab, then press the Advanced Permissions
button. Enlarge the window to see all the attributes.

Manage permissions
Use setfacl to manage permissions.
To modify an existing rule or add a new one, use the -m parameter, as shown below.

-m user:[user_name]:permissions[,user:user_name:permissions]
-m group:[group_name]:permissions[,group:group_name:permissions]

If the user option is omitted, permissions will be set for the file owner.
If the group option is omitted, permissions will be set for the group that owns the file.
Example
Granting the users john and peter with the read/write access rights to the file secretinfo:

setfacl -m user:john:rw,u:peter:rw secretinfo

Granting the group manager with the read/execute access rights to the file runit:

setfacl -m group:manager:rx runit

Multiple permissions can be combined in one line.

Example
Granting the user john with the read right to the qwerty file, the user peter with the read/write rights to the same
file, the group logist with the read/execute rights, while the workers group will have no access rights to the file
whatsoever:

setfacl --modify u:john:r,u:peter:rw,g:workers:-,g:logist:rx qwerty

Default permissions
For directories, you can set ACL rights that will be assigned by defaults to files and directories created inside it. To do
so, use the default identificator or the -d parameter. However, the default permissions will not be applied to the
first directory.
Example
Setting the read/write permissions to all files and directories created in managerdata, for the user john:

setfacl -m default:user:john:rw managerdata

Set permissions recursively

To assign permissions to all files and directories in a given directory, use the -R parameter. Since r, the read access
rights are needed to read a file, while you will need rx, the read and execute rights to read a directory, you should
probably specify X instead of x when setting permissions. The X flag assigns permissions only to those files and
directories that already have the execute access right. The X flag is calculated on the moment when setfacl is
launched, that is why it is interpreted as x in the default rules.
Example
Allowing the user peter to read all files and directories in folder:

setfacl -R -m d:u:peter:rwx,u:peter:rwX folder

or

2 of 3 Friday 03 April 2015 08:20 PM

Setting Filesystem ACL http://www.calculate-linux.org/main/en/setting_fil...

setfacl -R -m d:u:peter:rw,u:peter:rwX folder

Both commands have a limitation that manifests itself when you create new files or directories. While in the first
case, the peter user will be granted the execute right to all the newly created files in folder and its subdirectories,
in the second case the user will not be able to read the new directories.

Remove permissions
To remove an access rule for a user or a group, use the -x parameter.
Example
Removing access to the secretfile file for the user john:

setfacl -x u:john secretfile

Removing access to all files and directories in folder for the user peter:

setfacl -R -x u:peter folder

Clear the access rules

To clear ACL rules, use -b. This parameter can be combined with -m, if you want to substitute permissions.
Example
Clearing all ACL rules and allow the john user to read secretfile:

setfacl -b -m u:john:r secretfile

Copy ACL
If you need to assign ACL to a file analagous to some other file, use the following command:

getfacl basefile | setfacl -b -M - targetfile

targetfile will thus have the same permissions as basefile. The M parameter does that; it allows you to set
permissions from a file (or a standard input stream, ).

Effective mask
Effective masking is used to restrict action(s) for all users and groups, that are defined in ACL. It means, for example,
that you can prevent all users from writing to a file by setting the effective mask r-x.
Example

setfacl -m m::rx filename

Sometimes, the effective mask is calculated automatically (for instance, when you run chmod, as well as when you
create a file, because the umask permission is set). To initialize a mask, set it to rwx.

Permission precedence rules

Whether a user can work with a file or a directory is determined by the priority rules described below:

1. If the user is the file owner, the owner's permissions are applied.
2. User-specific rights to this file are applied.
3. Access is granted, if the user belongs to at least one group that has access to it.
4. If the user does not belong to any group defined in ACL, the other permissions are applied.

3 of 3 Friday 03 April 2015 08:20 PM