System Administration Guide: Security Services
Previous Next

Protecting Files With ACLs (Task Map)

The following task map points to procedures that list the ACLs on a file, change the ACLs, and copy the ACLs to another file.

Task

For Instructions

Determine if a file has an ACL

How to Check if a File Has an ACL

Add an ACL to a file

How to Add ACL Entries to a File

Copy an ACL

How to Copy an ACL

Modify an ACL

How to Change ACL Entries on a File

Remove ACLs from a file

How to Delete ACL Entries From a File

Display the ACLs on a file

How to Display ACL Entries for a File

How to Check if a File Has an ACL

  • Check if a file has an ACL.
    % ls -l filename

    where filename specifies the file or directory.

    In the output, a plus sign (+) to the right of the mode field indicates that the file has an ACL.


    Note - Unless you have added ACL entries that extend UNIX file permissions, a file is considered to have a “trivial” ACL and the plus sign (+) does not display.


Example 7-6 Checking if a File Has an ACL

In the following example, the ch1.sgm file has an ACL. The ACL is indicated by the plus sign (+) to the right of the mode field.

% ls -l ch1.sgm
-rwxr-----+  1 stacey   techpubs      167 Nov 11 11:13 ch1.sgm

How to Add ACL Entries to a File

  1. Set an ACL on a file by using the setfacl command.
    % setfacl -s user::perms,group::perms,other:perms,mask:perms,acl-entry-list filename ...
    -s

    Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the user::, group::, and other:: entries.

    user::perms

    Specifies the file owner permissions.

    group::perms

    Specifies the group ownership permissions.

    other:perms

    Specifies the permissions for users other than the file owner or members of the group.

    mask:perms

    Specifies the permissions for the ACL mask. The mask indicates the maximum permissions that are allowed for users (other than the owner) and for groups.

    acl-entry-list

    Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 7-7 and Table 7-8 show the valid ACL entries.

    filename ...

    Specifies one or more files or directories on which to set the ACL. Multiple filenames are separated by spaces.


    Caution - If an ACL already exists on the file, the -s option replaces the entire ACL with the new ACL.


    For more information, see the setfacl(1) man page.

  2. Verify that the ACL entries were set on the file.
    % getfacl filename

    For more information, see How to Check if a File Has an ACL.

Example 7-7 Setting an ACL on a File

In the following example, the file owner permissions are set to read and write, file group permissions are set to read only, and other permissions are set to none on the ch1.sgm file. In addition, the user anusha is given read and write permissions on the file. The ACL mask permissions are set to read and write, which means that no user or group can have execute permissions.

% setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:anusha:rw- ch1.sgm
% ls -l
total 124
-rw-r-----+  1 stacey  techpubs   34816 Nov 11 14:16 ch1.sgm
-rw-r--r--   1 stacey  techpubs   20167 Nov 11 14:16 ch2.sgm
-rw-r--r--   1 stacey  techpubs    8192 Nov 11 14:16 notes
% getfacl ch1.sgm
# file: ch1.sgm
# owner: stacey
# group: techpubs
user::rw-
user:anusha:rw-    #effective:rw-
group::r--         #effective:r--
mask:rw-
other:---

In the following example, the file owner permissions are set to read, write, and execute, file group permissions are set to read only, other permissions are set to none. In addition, the ACL mask permissions are set to read on the ch2.sgm file. Finally, the user anusha is given read and write permissions. However, due to the ACL mask, the permissions for anusha are read only.

% setfacl -s u::7,g::4,o:0,m:4,u:anusha:7 ch2.sgm
% getfacl ch2.sgm
# file: ch2.sgm
# owner: stacey
# group: techpubs
user::rwx
user:anusha:rwx         #effective:r--
group::r--              #effective:r--
mask:r--
other:---

How to Copy an ACL

  • Copy a file's ACL to another file by redirecting the getfacl output.
    % getfacl filename1 | setfacl -f - filename2 
    filename1

    Specifies the file from which to copy the ACL.

    filename2

    Specifies the file on which to set the copied ACL.

Example 7-8 Copying an ACL

In the following example, the ACL on ch2.sgm is copied to ch3.sgm.

% getfacl ch2.sgm | setfacl -f - ch3.sgm

How to Change ACL Entries on a File

  1. Modify ACL entries on a file by using the setfacl command.
    % setfacl -m acl-entry-list filename ... 
    -m

    Modifies the existing ACL entry.

    acl-entry-list

    Specifies the list of one or more ACL entries to modify on the file or directory. You can also modify default ACL entries on a directory. Table 7-7 and Table 7-8 show the valid ACL entries.

    filename ...

    Specifies one or more files or directories, separated by a space.

  2. Verify that the ACL entries were modified on the file.
    % getfacl filename
Example 7-9 Modifying ACL Entries on a File

In the following example, the permissions for the user anusha are modified to read and write.

% setfacl -m user:anusha:6 ch3.sgm
% getfacl ch3.sgm
# file: ch3.sgm
# owner: stacey
# group: techpubs
user::rw-                
user::anusha:rw-        #effective:r--
group::r-               #effective:r--
mask:r--
other:r-

In the following example, the default permissions for the group staff are modified to read on the book directory. In addition, the default ACL mask permissions are modified to read and write.

% setfacl -m default:group:staff:4,default:mask:6 book

How to Delete ACL Entries From a File

  1. Delete ACL entries from a file.
    % setfacl -d acl-entry-list filename ... 
    -d

    Deletes the specified ACL entries.

    acl-entry-list

    Specifies the list of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 7-7 and Table 7-8 show the valid ACL entries.

    filename ...

    Specifies one or more files or directories, separated by a space.

    Alternatively, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries that are specified.

  2. Verify that the ACL entries were deleted from the file.
    % getfacl filename
Example 7-10 Deleting ACL Entries on a File

In the following example, the user anusha is deleted from the ch4.sgm file.

% setfacl -d user:anusha ch4.sgm

How to Display ACL Entries for a File

  • Display ACL entries for a file by using the getfacl command.
    % getfacl [-a | -d] filename ...
    -a

    Displays the file name, file owner, file group, and ACL entries for the specified file or directory.

    -d

    Displays the file name, file owner, file group, and the default ACL entries, if they exist, for the specified directory.

    filename ...

    Specifies one or more files or directories, separated by a space.

    If you specify multiple file names on the command line, the ACL entries are displayed with a blank line between each entry.

Example 7-11 Displaying ACL Entries for a File

In the following example, all the ACL entries for the ch1.sgm file are displayed. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.

% getfacl ch1.sgm

# file: ch1.sgm
# owner: stacey
# group: techpubs
user::rw-
user:anusha:r-        #effective:r--
group::rw-            #effective:rw-
mask:rw-
other:---

In the following example, the default ACL entries for the book directory are displayed.

% getfacl -d book

# file: book
# owner: stacey
# group: techpubs
user::rwx
user:anusha:r-x       #effective:r-x
group::rwx            #effective:rwx
mask:rwx
other:---
default:user::rw-
default:user:anusha:r--
default:group::rw-
default:mask:rw-
default:other:---
Previous Next