4-4 Create and Manage Access Control Lists (ACLs) Flashcards
ACL means
File access control lists (ACLs) are intended to give finer-grained control over specific file permissions. Named users and named groups that have a UID and GID can take advantage or be assigned to ACLs. ACLs are added in addition to the regular permissions that already existent on a file. The file system has to be mounted with ACL option enabled; not all systems support ACLs.
When ACLs are set on a file or directory using the chmod command, it only updates the masks and not the permissions.
what does that answer/question to this one mean?????
ls -l
-rw-rw-r–+ 1 root root 45 Mar 2 17:01 1.txt
ACLs are set on the directory or file if ls permissions end with a +
what are
Extended ACL Entries
Extended ACL entries are those that contain named groups users or more than the minimum ACLs
what are
Base/Minimum ACL Entries
Base/minimum ACL entries are the original ACL entries on a file that contains ACL entries for the owner, group, and other
Is ACL always available on a system?
File systems must be enabled and mounted with ACL support in order for ACLs to work. By default the XFS and EXT4 file systems ON RED HAT 7 have ACL support enabled.
setfacl -m g:namedgroup:rw file
et the named group permissions to rw for a file
setfacl -m g::rw file
Set the group owner permission to rw for a file
setfacl -m u::rw file
Set the user owner permissions to rw for a file
setfacl -m o::rw file
Set “other” permissions on a file
you can denote -
In order to remove ACL permissions on a file
setfacl -m o::rw,u::rw file
Multiple ACL entries can be specified by separating the entries with a comma
setfacl -m o::rw,u::rw file
Multiple ACL entries can be specified by separating the entries with a comma
setfacl -x g:groupname file
setfacl –remove-all [file/dir]
use -R for recursion
Remove a named group entry from a file’s ACL
getfacl file1 | setfacl –set-file=- file2
Take the ACL from file1 as standard input for setfacl command. The - at the end of –set-
file=- represents the use of standard input (stdin).
Copying ACLs from One File to Another
Setting Default ACLs
Directories can have default ACLs that les will inherit when new les are created inside of the directory. Default ACLs on a directory ONLY provide support for inheritance; they are not the ACLs that are enforced on a directory. Thus, you will also have to set regular base/extended ACLs on the directory
setfacl -m d:u:nameduser:rx dir1
Notice the d for “default”; all else is the same as when setting default permissions
Set a default named user on directory dir1
setfacl –remove-default directory
Delete all default ACLs on a directory
getfacl file1
display a file’s acl info including base/minimum ACL entries
the permissions shown by ls -l are also shown here as the base minimum acl
meaning of
setfacl -m u:user:rw file
setfacl -m u:theuser:rw file
-m means modify
u: means user, as in the next bit is the user to be added to acl (to be able to access) that file
:rw means user will have access to read and write regarding that file
‘theuser’ maps to uid, so if deleted and new of same name is made, it will have to be re-added as it maps to user
‘mask:’ in getfacl file1
setfacl -m m::r file1
the m: will set file1’s acl mask(maximum permission) to read
to set to none use -
setfacl -m m::- 1.txt
setfacl on file will reset mask
chmod on file will reset mask
‘mask’ shows the maximum permissions, if working with masks set after setting acl because acl will reset it, acl can be set with a flag that says not to change mask
chmod if used on file will also changes file’s acl mask
setfacl -d -m u::rw dir1
getfacl dir1
‘default:’
setfacl –remove-default dir1
getfacl dir1
Set default acl permissions that inherit to all files and directories made inside of it
use -R on directories to set defaults recursively
check default acl permissions
remove default permissions (not set to zero, but remove)
setfacl -x d:u:theuser dir1
remove user ‘the’ user’s default permissions in acl
setfacl -m u::rw dir1
by not specifying a user (or group when g:) to add to acl list, it will set regular permissions, see ls -l
will change base level acl user permissions in getfacl
