Access Control Lists (ACLs) provide a way to define more granular permissions on files and directories than the traditional owner/group/other model. With ACLs, you can specify permissions for individual users or groups, allowing for greater flexibility in managing access.
$ sudo apt install acl -yTo install ACL (Access Control Lists) on RHEL (Red Hat Enterprise Linux), follow these steps:
-
Check if ACL is installed: First, check if ACL is already installed by running:
$ getfacl --version
If it's installed, you’ll see the version information. If not, you'll get an error.
-
Install the ACL package: If ACL is not installed, you can install it using
yumordnf, depending on your RHEL version. Run the following command:$ sudo yum install acl
or
$ sudo dnf install acl
-
Verify the installation: After installation, confirm that ACL is available by running:
$ getfacl --version
-
Enable ACL on filesystems: You may need to enable ACL support on specific filesystems. Check the current mount options with:
$ mount | grep aclIf ACL is not enabled, you can modify the
/etc/fstabfile. Find the line for the filesystem you want to enable ACL on and addaclto the options. For example:/dev/mapper/rhel-root / xfs defaults,acl 0 0After editing
/etc/fstab, remount the filesystem to apply the changes:$ sudo mount -o remount /
-
Set ACLs: You can now set ACLs using
setfacl. For example, to give a user read permission on a file:$ setfacl -m u:username:r file.txt
-
Get ACLs: To view the ACLs of a file or directory, use:
$ getfacl file.txt
To view the ACL of a file or directory, use the getfacl command. This command displays all the permission details associated with the file.
$ getfacl ubuntu-server
# file: ubuntu-server
# owner: prathamesh
# group: prathamesh
user::rw-
group::rw-
other::r--In this example, the file ubuntu-server has the following permissions:
- Owner (
prathamesh): read and write - Group (
prathamesh): read and write - Others: read
To add specific permissions for a user, use the -m (modify) option with setfacl.
$ setfacl -m u:<username>:<permissions> filenameYou can also specify permissions using octal numbers.
To set read and write permissions for user atharv on the file ubuntu-server:
$ setfacl -m u:atharv:rw ubuntu-server # rw = 4(read) + 2(write) = 6You can use the -M option to specify the ACL list in a file:
$ setfacl -M aclfile.txt ubuntu-serverWhere aclfile.txt contains the ACL specifications.
To remove specific permissions from a user, use the -x (remove) option.
To remove the write permission of user atharv from the ubuntu-server file:
$ setfacl -x u:atharv:w ubuntu-serverTo completely remove all permissions for a user, use the -b option:
$ setfacl -b ubuntu-serverThis will remove all ACL entries for the file, including those for atharv.
To remove specific permissions for a group, use a similar command with g for groups.
Example: Remove read permission for group devs from ubuntu-server:
$ setfacl -x g:devs:r ubuntu-serverTo set specific permissions for a group:
$ setfacl -m g:<groupname>:<permissions> filenameExample: To give read and execute permissions to group devs for ubuntu-server:
$ setfacl -m g:devs:rx ubuntu-serverTo remove write permission for group devs:
$ setfacl -x g:devs:w ubuntu-serverThe --no-mask option allows you to set permissions for a user or group without being restricted by the current mask, which may limit permissions based on the highest granted permission among users.
Set read and write permissions for user atharv and full permissions for group devs without being restricted by the mask:
$ setfacl -m u:atharv:rw --no-mask ubuntu-server
$ setfacl -m g:devs:rwx --no-mask ubuntu-serverUsing --no-mask ensures that the specified permissions are applied regardless of any existing mask limitations.