aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/linux
diff options
context:
space:
mode:
authorJohannes Stoelp <johannes.stoelp@gmail.com>2023-06-11 16:10:34 +0200
committerJohannes Stoelp <johannes.stoelp@gmail.com>2023-06-11 16:10:39 +0200
commit79c6db822b3598ba42faf82be8c5c50dbbf152a0 (patch)
treec1ce9ee94ee60a99351328e2f8412ff7d4b97e3a /src/linux
parent80195b7c24fb742b7886e613e14189c3b29dd368 (diff)
downloadnotes-79c6db822b3598ba42faf82be8c5c50dbbf152a0.tar.gz
notes-79c6db822b3598ba42faf82be8c5c50dbbf152a0.zip
acl: notes on posix access control list
Diffstat (limited to 'src/linux')
-rw-r--r--src/linux/README.md1
-rw-r--r--src/linux/acl.md78
2 files changed, 79 insertions, 0 deletions
diff --git a/src/linux/README.md b/src/linux/README.md
index 0cd68a5..ba63829 100644
--- a/src/linux/README.md
+++ b/src/linux/README.md
@@ -6,3 +6,4 @@
- [cryptsetup](./cryptsetup.md)
- [swap](./swap.md)
- [input](./input.md)
+- [acl](./acl.md)
diff --git a/src/linux/acl.md b/src/linux/acl.md
new file mode 100644
index 0000000..e2e69a5
--- /dev/null
+++ b/src/linux/acl.md
@@ -0,0 +1,78 @@
+# access control list (acl)
+
+> This describes `POSIX` acl.
+
+The access control list provides a flexibel permission mechanism next to the
+`UNIX` file permissions. This allows to specify fine grained permissions for
+users/groups on filesystems.
+
+Filesystems which support acl typically have an `acl` option, which must be
+specified while mounting when it is not a default option.
+Filesystems must be mounted with the `acl` option if not enabled as default
+option.
+
+Files or folder that have an `acl` defined, can be identified by the `+` sign
+next to the UNIX permissions.
+
+The following shows on example for a zfs filesystem.
+```bash
+# mount | grep tank
+tank on /tank type zfs (rw,xattr,noacl)
+tank/foo on /tank/foo type zfs (rw,xattr,posixacl)
+
+# ls -h /tank
+drwxrwxr-x+ 2 root root 4 11. Jun 14:26 foo/
+```
+
+## Show acl entries
+```bash
+# List current acl entries.
+getfacl /tank/foo
+```
+
+## Modify acl entries
+```bash
+# Add acl entry for user "user123".
+setfacl -m "u:user123:rwx" /tank/foo
+
+# Remove entry for user "user123".
+setfacl -x "u:user123" /tank/foo
+
+# Add acl entry for group "group456".
+setfacl -m "g:group456:rx" /tank/foo
+
+# Add acl entry for others.
+setfacl -m "o:rx" /tank/foo
+
+# Remove extended acl entries.
+setfacl -b /tank/foo
+```
+
+## Masking of acl entries
+The `mask` defines the maximum access rights that can be given to **users** and
+**groups**.
+
+```bash
+# Update the mask.
+setfacl -m "m:rx" /tank/foo
+
+# List acl entries.
+getfacl /tank/foo
+# file: tank/foo
+# owner: root
+# group: root
+user::rwx
+user:user123:rwx # effective:r-x
+group::r-x
+mask::r-x
+other::rwx
+```
+
+## References
+- [acl(5)][man-acl]
+- [getfacl(1)][man-getfacl]
+- [setfacl(1)][man-setfacl]
+
+[man-acl]: https://www.man7.org/linux/man-pages/man5/acl.5.html
+[man-getfacl]: https://www.man7.org/linux/man-pages/man1/getfacl.1.html
+[man-setfacl]: https://www.man7.org/linux/man-pages/man1/setfacl.1.html