CentOS 8
Sponsored Link

ACL Access Control List2019/10/04
 
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL.
[1] ACL package is included in minimum OS installation, but if not in your System, Install like follows.
[root@dlp ~]#
dnf -y install acl
[2]
It's not necessary to set pre-settings to use ACL feature if you are using [xfs] that is the default filesystem on CentOS 8. But if you are using [ext4] that is the default filesystem on CentOS 6 or earlier, it's necessary to set pre-settings to use ACL feature, refer to the section [2], [3] on here.
[3] Set ACL.
For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL.
[root@dlp ~]#
ll /home/test.txt 

-rwx------. 1 root root 10 Oct  3 20:06 /home/test.txt
# set r(read) for [cent] user to /home/test.txt

[root@dlp ~]#
setfacl -m u:cent:r /home/test.txt
# after setting ACL, [+] is added on attribute

[root@dlp ~]#
ll /home/test.txt 

-rwxr-----+ 1 root root 10 Oct  3 20:06 /home/test.txt
# confirm settings

[root@dlp ~]#
getfacl /home/test.txt 

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---
# verify accesses with [cent] user

[cent@dlp ~]$
cat /home/test.txt

ACL test file  
# just read normally
# verify accesses with another user

[redhat@dlp ~]$
cat /home/test.txt

cat: /home/test.txt: Permission denied  
# just denied normally
[4] Set ACL to a directory recursively.
# set r(read) for [cent] to [/home/testdir] recursively

[root@dlp ~]#
setfacl -R -m u:cent:r /home/testdir
[root@dlp ~]#
ll /home/testdir 

total 0
-rwxr-----+ 1 root root 0 Oct  3 21:31 testfile
[root@dlp ~]#
getfacl -R /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---
[5] Set ACL by group.
# set rw(read/write) for [security] group to [/home/test.txt]

[root@dlp ~]#
setfacl -m g:security:rw /home/test.txt

[root@dlp ~]#
getfacl /home/test.txt 

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
group::---
group:security:rw-
mask::rw-
other::---
# verify accesses with [cent] user who is in [security] group

[cent@dlp ~]$
echo "test write" >> /home/test.txt

[cent@dlp ~]$
cat /home/test.txt

ACL test file
test write  
# just written normally
# verify accesses with another user who is not in [security] group

[redhat@dlp ~]$
echo "test write" >> /home/test.txt

-bash: /home/test.txt: Permission denied  
# just denied normally
[6] Remove ACL.
# remove ACL from [/home/test.txt]

[root@dlp ~]#
setfacl -b /home/test.txt
# remove ACL only for [cent] user on [/home/test.txt]

[root@dlp ~]#
setfacl -x u:cent /home/test.txt
[7] Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid.
[root@dlp ~]#
setfacl -m u:cent:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [cent] to [/home/testdir] directory

[root@dlp ~]#
setfacl -d -m u:cent:r-x /home/testdir

[root@dlp ~]#
getfacl /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:cent:r-x
default:group::---
default:mask::r-x
default:other::---
[root@dlp ~]#
echo "ACL default setting" > /home/testdir/test.txt

[root@dlp ~]#
ll /home/testdir/test.txt 

-rw-r-----+ 1 root root 20 Oct  4 19:21 /home/testdir/test.txt
# verify accesses with [cent] user

[cent@dlp ~]$
cat /home/testdir/test.txt

ACL default setting  
# just read normally
[8] Remove default ACL.
[root@dlp ~]#
setfacl -k /home/testdir

[root@dlp ~]#
getfacl /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
[9] Set ACL from a configration file.
# create a configuration file for ACL

# if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command

[root@dlp ~]#
vi acl.txt 
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---
[root@dlp ~]#
setfacl --restore=acl.txt

[root@dlp ~]#
ll /home 

total 4
drwx------. 2 cent   cent   83 Oct  3 21:20 cent
drwxr-xr-x. 3 root   root   57 Oct  3 19:58 nfsshare
drwx------. 2 redhat redhat 83 Oct  3 21:21 redhat
drwxr-x---+ 2 root   root   38 Oct  3 22:21 testdir
-rwxr-----+ 1 root   root   21 Oct  3 22:17 test.txt
Matched Content