FACL

Facl sets extended permissions on files and directories

Default inheritance

Working with directories

Setting basic permissions with facl

$ mkdir testificate_dir

$ ls -al
total 0
drwxr-xr-x. 3 piper domain users  29 Aug 10 14:26 .
drwx------. 6 piper domain users 185 Aug 10 14:20 ..
drwxr-xr-x. 2 piper domain users   6 Aug 10 14:26 testificate_dir

$ setfacl -m u::7,g::7,o::0 testificate_dir

$ ls -al
total 0
drwxr-xr-x. 3 piper domain users  29 Aug 10 14:26 .
drwx------. 6 piper domain users 185 Aug 10 14:20 ..
drwxrwx---. 2 piper domain users   6 Aug 10 14:26 testificate_dir

Note that FACL can use numerical or alphabetical permissions. u::rwx and u::7 are the same thing and both are acceptable.

To remove permissions you can use 0 or -

Setting default inherited permissions

We will set 774 (rwx : rwx : r) as an inherited permission on testificate_dir then create a new dir under it. Notice the new dir was set to drwxrwxr--+

$ setfacl -dm u::7,g::7,o::r testificate_dir

$ ls -al testificate_dir/
total 0
drwxrwx---+ 3 piper domain users 18 Aug 10 14:31 .
drwxr-xr-x. 3 piper domain users 29 Aug 10 14:26 ..
drwxrwxr--+ 2 piper domain users  6 Aug 10 14:31 test

Viewing extended permissions

When a directory is affected by extended permissions it will have a + at the end of its permissions in ls -l. Check the permissions with getfacl.

When we run this we will see the 2 commands we ran earlier in effect.

$ getfacl testificate_dir/
## file: testificate_dir/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::r--

Here we can see the test dir inherited the o::r and is continuing to distribute that inheritance.

$ getfacl testificate_dir/test/
## file: testificate_dir/test/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::r--
default:user::rwx
default:group::rwx
default:other::r--

Removing extended permissions

Specific extended group

$ setfacl -x g:<group id> testificate_dir/

All

Extended permissions can be removed with -k (defaults) or -b (all).

$ setfacl -k testificate_dir/

$ getfacl testificate_dir/
## file: testificate_dir/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::---

$ getfacl testificate_dir/test/
## file: testificate_dir/test/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::r--
default:user::rwx
default:group::rwx
default:other::r--

It did not remove permissions from the sub dir, as you can see above. Use -R to recurse.

$ setfacl -kR testificate_dir/

$ getfacl testificate_dir/test/
## file: testificate_dir/test/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::r--

Working with files

Files inherit the same basic permissions but without execute. In the following example we set 777 on one directory and 700 on another. When we create a file in each directory we can see how it is 666 or 600 based on the parent directory.

$ setfacl -m u::7,g::0,o::0 none/

$ setfacl -m u::7,g::7,o::7 open/ 

$ setfacl -dm u::7,g::0,o::0 none/

$ setfacl -dm u::7,g::7,o::7 open/

$ getfacl none/ open/
## file: none/
## owner: piper
## group: domain\040users
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

## file: open/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx

$ ls -al none/ open/
none/:
total 0
drwx------+ 2 piper domain users 18 Aug 10 16:18 .
drwxr-xr-x. 5 piper domain users 53 Aug 10 16:17 ..
-rw-------. 1 piper domain users  0 Aug 10 16:18 test

open/:
total 0
drwxrwxrwx+ 2 piper domain users 18 Aug 10 16:18 .
drwxr-xr-x. 5 piper domain users 53 Aug 10 16:17 ..
-rw-rw-rw-. 1 piper domain users  0 Aug 10 16:18 test

Multiple groups

Using standard permissions you are only given user:group permissions, you cannot have a secondary group. FACL is able to set secondary group permissions.

Our base dir is only setup for one group, we want to add another that is RO.

$ getfacl .
# file: .
# owner: piper
# group: domain\040users
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::r--

To modify the existing permissions and the default permissions we must run two commands.

In the commands of our last section we used g::<perms> by specifying a group or ID in between the :: we specifying a secondary group. means the default base group

$ setfacl -dm g:linuxadmins:rx .

$ setfacl -m g:linuxadmins:rx .

$ getfacl .
# file: .
# owner: piper
# group: domain\040users
user::rwx
group::rwx
group:linuxadmins:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:linuxadmins:r-x
default:mask::rwx
default:other::r--

We can make a directory in our current path to demonstrate the proper permissions were inherited.

$ mkdir test

$ getfacl test/
# file: test/
# owner: piper
# group: domain\040users
user::rwx
group::rwx
group:linuxadmins:r-x
mask::rwx
other::r--
default:user::rwx
default:group::rwx
default:group:linuxadmins:r-x
default:mask::rwx
default:other::r--

ACL Entries

setfacl recognizes the following ACL entry formats (spaces in the following formats are optional, but are included for legibility):

Masks

Relates to umask