Difference between revisions of "GNU Linux/Permissions/POSIX ACLs"

From WhyAskWhy.org Wiki
Jump to: navigation, search
m (Added additional references, broke into sections)
m (Begun a "mask" section, tweaked whitespace.)
Line 7: Line 7:
  
 
This page will record my efforts to learn how to use POSIX ACLs. I'm familiar with ACLs used on Windows systems and to a lesser extent Mac OS X (GUI-only), but this is my first foray into POSIX ACLs.
 
This page will record my efforts to learn how to use POSIX ACLs. I'm familiar with ACLs used on Windows systems and to a lesser extent Mac OS X (GUI-only), but this is my first foray into POSIX ACLs.
 +
  
 
== TODO ==
 
== TODO ==
Line 13: Line 14:
  
 
* <code>setfacl -d -m group:rwx /path/to/your/dir</code>
 
* <code>setfacl -d -m group:rwx /path/to/your/dir</code>
 +
 +
 +
== Mask ==
 +
 +
The <code>mask</code> entry further limits the permissions granted by <code>named user</code>, <code>named group</code>, and <code>owning group</code> entries by defining which of the permissions in those entries are <code>effective</code> and which are masked. <ref name="opensuse-acls-linux" />
 +
 +
* If permissions exist in one of the mentioned entries as well as the mask, they are effective.
 +
* Permissions contained only in the mask or only in the actual entry are not effective--meaning the permissions are ''not'' granted.
 +
* All permissions defined in the <code>owner</code> and <code>owning group</code> entries are ''always'' effective.
 +
  
 
== Removing POSIX ACLs ==
 
== Removing POSIX ACLs ==
Line 25: Line 36:
 
setfacl -x u:antony /mnt/gluster/data/test-file
 
setfacl -x u:antony /mnt/gluster/data/test-file
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
== References ==
 
== References ==
Line 33: Line 45:
  
 
<ref name="redhat-removing-acls">[https://access.redhat.com/documentation/en-US/Red_Hat_Storage/2.0/html/Administration_Guide/ch09s05s03.html Support > Product Documentation > Red Hat Storage > 2.0 > Administration Guide > 9.5.3. Removing POSIX ACLs ]</ref>
 
<ref name="redhat-removing-acls">[https://access.redhat.com/documentation/en-US/Red_Hat_Storage/2.0/html/Administration_Guide/ch09s05s03.html Support > Product Documentation > Red Hat Storage > 2.0 > Administration Guide > 9.5.3. Removing POSIX ACLs ]</ref>
 +
 +
<ref name="opensuse-acls-linux">[https://doc.opensuse.org/documentation/html/openSUSE_121/opensuse-security/cha.security.acls.html Documentation > Security Guide > Local Security > Chapter 9. Access Control Lists in Linux]</ref>
  
 
</references>
 
</references>
Line 49: Line 63:
 
* http://www.computerhope.com/unix/usetfacl.htm
 
* http://www.computerhope.com/unix/usetfacl.htm
 
* http://kmaiti.blogspot.com/2011/09/acl-and-mask-in-linux.html
 
* http://kmaiti.blogspot.com/2011/09/acl-and-mask-in-linux.html
* https://doc.opensuse.org/documentation/html/openSUSE_121/opensuse-security/cha.security.acls.html
 
 
* http://www.debianhelp.co.uk/acl.htm
 
* http://www.debianhelp.co.uk/acl.htm
 
* http://users.suse.com/~agruen/acl/linux-acls/online/
 
* http://users.suse.com/~agruen/acl/linux-acls/online/

Revision as of 18:50, 27 February 2015


Summary

This page will record my efforts to learn how to use POSIX ACLs. I'm familiar with ACLs used on Windows systems and to a lesser extent Mac OS X (GUI-only), but this is my first foray into POSIX ACLs.


TODO

Explain this:

  • setfacl -d -m group:rwx /path/to/your/dir


Mask

The mask entry further limits the permissions granted by named user, named group, and owning group entries by defining which of the permissions in those entries are effective and which are masked. [1]

  • If permissions exist in one of the mentioned entries as well as the mask, they are effective.
  • Permissions contained only in the mask or only in the actual entry are not effective--meaning the permissions are not granted.
  • All permissions defined in the owner and owning group entries are always effective.


Removing POSIX ACLs

To remove all the permissions for a user, groups, or others, use the following command [2]:

setfacl -x ACL entry type file

For example, to remove all permissions from the user antony:

setfacl -x u:antony /mnt/gluster/data/test-file


References

Directly used

Queued up