Access Control Lists – ACL¶

Access Control Lists (ACL) are available on Pegasus and Triton file systems. They allow file owners to grant permissions to specific users and groups. When combining standard Linux permissions and ACL permissions, effective permissions are the intersection (or overlap) of the two. cp (copy) and mv (move/rename) will include any ACLs associated with files and directories.

Getting ACL information¶

ACL permissions start the same as the standard Linux permissions shown by ls -l output.

Get ACL information with `getfacl`:¶

[username@pegasus ~]$ getfacl mydir
# file: mydir
# owner: username
# group: mygroup
user::rwx
group::rw-
other::--x

Initial ACL permissions on mydir match the standard permissions shown by ls -ld:

[username@pegasus ~]$ ls -ld mydir
drwxrw---x 2 username mygroup mydir

Setting ACL information¶

Once an ACL has been set for a file or directory, a + symbol will show at the end of standard Linux permissions.

Set ACL with `setfacl -m` (modify):¶

Set for user mycollaborator permissions rwx on mydir, directory only:

[username@pegasus ~]$ setfacl -m user:mycollaborator:rwx mydir

This will set an ACL for only the directory, not any files in the directory.

[username@pegasus ~]$ ls -ld mydir
drwxrw---x+ 2 username mygroup mydir
[username@pegasus ~]$ getfacl mydir
# file: mydir
# owner: username
# group: mygroup
user::rwx
user:mycollaborator:rwx
group::rw-
mask::rwx
other::r--

Note the + symbol at the end of standard permissions, which indicates an ACL has been set. Also note the line user:mycollaborator:rwx in the getfacl mydir output.

Files within mydir remain unchanged (no ACL has been set). getfacl on these files returns standard Linux permissions:

[username@pegasus ~]$ ls -l mydir
total 0
-rwxrw-r-- 1 username mygroup myfile2.txt
-rwxrw-r-- 1 username mygroup myfile.txt
[username@pegasus ~]$ getfacl mydir/myfile.txt
# file: mydir/myfile.txt
# owner: username
# group: mygroup
user::rwx
group::rw-
other::r--

Set for user mycollaborator permissions rwX on mydir, recursively (all contents):

[username@pegasus ~]$ setfacl -Rm user:mycollaborator:rwX mydir

This will set an ACL for the directory and all files in the directory. Permissions for setfacl:

r read
w write
X (capital) execute/search only if the file is a directory, or already has execute permission

[username@pegasus ~]$ ls -l mydir
total 0
-rwxrw-r--+ 1 username mygroup myfile2.txt
-rwxrw-r--+ 1 username mygroup myfile.txt

Note the + symbol after file permissions, indicating an ACL has been set. getfacl on these files returns ACL permissions:

[username@pegasus ~]$ getfacl mydir/myfile.txt
# file: mydir/myfile.txt
# owner: username
# group: mygroup
user::rwx
user:mycollaborator:rwx
group::rw-
mask::rwx
other::r--

Note the line user:mycollaborator:rwx for myfile.txt.

Recall that when combining standard Linux permissions and ACL permissions, effective permissions are the intersection of the two. If user (u) permissions are changed to rw-, the effective permissions for user:mycollaborator are rw- (the intersection of rwx and rw- is rw-).

[username@pegasus ~]$ chmod u=rw mydir/myfile.txt
[username@pegasus ~]$ getfacl mydir/myfile.txt
# file: myfile.txt
# owner: username
# group: mygroup
user::rw-
user:mycollaborator:rwx
group::rw-
mask::rwx
other::r--

Note the line user::rw-, indicating users do not have permission to execute this file.

Removing ACL information¶

Use setfacl to remove ACL permissions with flags -x (individual ACL permissions) or -b (all ACL rules).

Remove ACL permissions with `setfacl -x`:¶

This flag can remove all permissions, but does not remove the ACL.

Remove permissions for user mycollaborator on mydir, directory only:

[username@pegasus ~]$ setfacl -x user:mycollaborator mydir
[username@pegasus ~]$ getfacl mydir
# file: mydir
# owner: username
# group: mygroup
user::rwx
group::rw-
mask::rwx
other::--x
[username@pegasus ~]$ ls -ld mydir
drwxrwx--x+ 2 username mygroup mydir

Note user:mycollaborator:rwx has been removed, but mask::rwx remains in the getfacl output. In ls -ld output, the + symbol remains because the ACL has not been removed.

Remove all ACL rules with `setfacl -b`:¶

This flag removes the entire ACL, leaving permissions governed only by standard Linux file permissions.

Remove all ACL rules for mydir, directory only:

[username@pegasus ~]$ setfacl -b mydir
[username@pegasus ~]$ ls -ld mydir
drwxrwx--x 2 username mygroup mydir
[username@pegasus ~]$ getfacl mydir
# file: mydir
# owner: username
# group: mygroup
user::rwx
group::rwx
other::--x

Note the + symbol is gone from ls -ld output, indicating only standard Linux permissions apply (no ACL). The mask line is gone from getfacl output.

Remove all ACL rules for mydir, recursively (all contents):

[username@pegasus ~]$ setfacl -Rb mydir
[username@pegasus ~]$ ls -l mydir
total 0
-rwxrwxr-- 1 username mygroup myfile2.txt
-rwxrwxr-- 1 username mygroup myfile.txt

Note the + symbols are gone for the contents of mydir, indicating only standard Linux permissions apply (no ACLs).

For more information, reference the manual pages for getfacl and setfacl: man getfacl and man setfacl.

Access Control Lists – ACL¶

Getting ACL information¶

Get ACL information with getfacl:¶

Setting ACL information¶

Set ACL with setfacl -m (modify):¶

Removing ACL information¶

Remove ACL permissions with setfacl -x:¶

Remove all ACL rules with setfacl -b:¶

Get ACL information with `getfacl`:¶

Set ACL with `setfacl -m` (modify):¶

Remove ACL permissions with `setfacl -x`:¶

Remove all ACL rules with `setfacl -b`:¶