Today I am going to show you how to use access control list (ACL) permissions in rhel7. Traditionally we have assigned permission to one user/owner and one group for file or directory but in some cases we need other user or other group apart from owner need to have readonly access or write access on same directory. To achieve this we have access control list permission concept in Linux.
Other users and and groups can also access file or directory even when they are not owners and member of group who is having ownership on that file or directory.
we use only two commands getfacl to see ACL permissions on directory/file and setfacl to set ACL permissions. We can even set default ACL so that new files and sub-directories created in directory will inherit ACL permissions of parent directory.
The filesystem needs to be mounted with ACL support enabled. XFS filesystems have built-in ACL support and Ext4 filesystem in RHEL7 have ACL option enabled by default. In earlier versions of RHEL you may need the ACL option included with mount request.
First we see ACL permission on file named prod.conf.
here user has read write, group has readonly and others have readonly permissions. Now we will use ACL to set default user, group and other permission.
We have changed user permission to read write execute and group permission to read write and others will have NO permission on file using setacl. If you have not provide user and group name in setfacl command it will by default apply the permissions on file owner and group owner. We can set multiple permission separated with , comma.
+ sign indicates that ACL permissions are set on this file.
Now prod_admin group having two user bob and harry and I want harry should not modify this file so he should have readonly access on this critical file and suppose dev_admin group also need read-only access on this file. We can do this using same setfacl command.
Even though harry is member of prod_admin group and prod_admin group having read write permission on that file. We have restricted harry’s access to readonly using ACL.
If you wanted to delete dev_admin group ACL permissions from file use -x option.
Same ACL permissions we can apply on directories as well, example we have 2 directories sales and account and we need account group should have readonly access on sales directory and sales group should have readonly access on account directoy.
We have used -R option to recursively apply these permission on all files and subfolders of these directories and X is to add conditional execute permission on directories to search directory contents. To make these ACL permission as default permission use d option in front of g in setfacl.
you can use -k to delete all default ACL permissions and use -b to delete to all ACL permisisons of directory or file.
Thats it Good Luck for ACLs permissions.