diff options
| author | Johannes Stoelp <johannes.stoelp@gmail.com> | 2023-06-11 16:10:34 +0200 |
|---|---|---|
| committer | Johannes Stoelp <johannes.stoelp@gmail.com> | 2023-06-11 16:10:39 +0200 |
| commit | 79c6db822b3598ba42faf82be8c5c50dbbf152a0 (patch) | |
| tree | c1ce9ee94ee60a99351328e2f8412ff7d4b97e3a /src/linux/acl.md | |
| parent | 80195b7c24fb742b7886e613e14189c3b29dd368 (diff) | |
| download | notes-79c6db822b3598ba42faf82be8c5c50dbbf152a0.tar.gz notes-79c6db822b3598ba42faf82be8c5c50dbbf152a0.zip | |
acl: notes on posix access control list
Diffstat (limited to 'src/linux/acl.md')
| -rw-r--r-- | src/linux/acl.md | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/src/linux/acl.md b/src/linux/acl.md new file mode 100644 index 0000000..e2e69a5 --- /dev/null +++ b/src/linux/acl.md @@ -0,0 +1,78 @@ +# access control list (acl) + +> This describes `POSIX` acl. + +The access control list provides a flexibel permission mechanism next to the +`UNIX` file permissions. This allows to specify fine grained permissions for +users/groups on filesystems. + +Filesystems which support acl typically have an `acl` option, which must be +specified while mounting when it is not a default option. +Filesystems must be mounted with the `acl` option if not enabled as default +option. + +Files or folder that have an `acl` defined, can be identified by the `+` sign +next to the UNIX permissions. + +The following shows on example for a zfs filesystem. +```bash +# mount | grep tank +tank on /tank type zfs (rw,xattr,noacl) +tank/foo on /tank/foo type zfs (rw,xattr,posixacl) + +# ls -h /tank +drwxrwxr-x+ 2 root root 4 11. Jun 14:26 foo/ +``` + +## Show acl entries +```bash +# List current acl entries. +getfacl /tank/foo +``` + +## Modify acl entries +```bash +# Add acl entry for user "user123". +setfacl -m "u:user123:rwx" /tank/foo + +# Remove entry for user "user123". +setfacl -x "u:user123" /tank/foo + +# Add acl entry for group "group456". +setfacl -m "g:group456:rx" /tank/foo + +# Add acl entry for others. +setfacl -m "o:rx" /tank/foo + +# Remove extended acl entries. +setfacl -b /tank/foo +``` + +## Masking of acl entries +The `mask` defines the maximum access rights that can be given to **users** and +**groups**. + +```bash +# Update the mask. +setfacl -m "m:rx" /tank/foo + +# List acl entries. +getfacl /tank/foo +# file: tank/foo +# owner: root +# group: root +user::rwx +user:user123:rwx # effective:r-x +group::r-x +mask::r-x +other::rwx +``` + +## References +- [acl(5)][man-acl] +- [getfacl(1)][man-getfacl] +- [setfacl(1)][man-setfacl] + +[man-acl]: https://www.man7.org/linux/man-pages/man5/acl.5.html +[man-getfacl]: https://www.man7.org/linux/man-pages/man1/getfacl.1.html +[man-setfacl]: https://www.man7.org/linux/man-pages/man1/setfacl.1.html |