aboutsummaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/SUMMARY.md1
-rw-r--r--src/linux/README.md1
-rw-r--r--src/linux/acl.md78
3 files changed, 80 insertions, 0 deletions
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index ae7bc1e..889118a 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -58,6 +58,7 @@
- [cryptsetup](./linux/cryptsetup.md)
- [swap](./linux/swap.md)
- [input](./linux/input.md)
+ - [acl](./linux/acl.md)
- [Network](./network/README.md)
- [tcpdump](./network/tcpdump.md)
diff --git a/src/linux/README.md b/src/linux/README.md
index 0cd68a5..ba63829 100644
--- a/src/linux/README.md
+++ b/src/linux/README.md
@@ -6,3 +6,4 @@
- [cryptsetup](./cryptsetup.md)
- [swap](./swap.md)
- [input](./input.md)
+- [acl](./acl.md)
diff --git a/src/linux/acl.md b/src/linux/acl.md
new file mode 100644
index 0000000..e2e69a5
--- /dev/null
+++ b/src/linux/acl.md
@@ -0,0 +1,78 @@
+# access control list (acl)
+
+> This describes `POSIX` acl.
+
+The access control list provides a flexibel permission mechanism next to the
+`UNIX` file permissions. This allows to specify fine grained permissions for
+users/groups on filesystems.
+
+Filesystems which support acl typically have an `acl` option, which must be
+specified while mounting when it is not a default option.
+Filesystems must be mounted with the `acl` option if not enabled as default
+option.
+
+Files or folder that have an `acl` defined, can be identified by the `+` sign
+next to the UNIX permissions.
+
+The following shows on example for a zfs filesystem.
+```bash
+# mount | grep tank
+tank on /tank type zfs (rw,xattr,noacl)
+tank/foo on /tank/foo type zfs (rw,xattr,posixacl)
+
+# ls -h /tank
+drwxrwxr-x+ 2 root root 4 11. Jun 14:26 foo/
+```
+
+## Show acl entries
+```bash
+# List current acl entries.
+getfacl /tank/foo
+```
+
+## Modify acl entries
+```bash
+# Add acl entry for user "user123".
+setfacl -m "u:user123:rwx" /tank/foo
+
+# Remove entry for user "user123".
+setfacl -x "u:user123" /tank/foo
+
+# Add acl entry for group "group456".
+setfacl -m "g:group456:rx" /tank/foo
+
+# Add acl entry for others.
+setfacl -m "o:rx" /tank/foo
+
+# Remove extended acl entries.
+setfacl -b /tank/foo
+```
+
+## Masking of acl entries
+The `mask` defines the maximum access rights that can be given to **users** and
+**groups**.
+
+```bash
+# Update the mask.
+setfacl -m "m:rx" /tank/foo
+
+# List acl entries.
+getfacl /tank/foo
+# file: tank/foo
+# owner: root
+# group: root
+user::rwx
+user:user123:rwx # effective:r-x
+group::r-x
+mask::r-x
+other::rwx
+```
+
+## References
+- [acl(5)][man-acl]
+- [getfacl(1)][man-getfacl]
+- [setfacl(1)][man-setfacl]
+
+[man-acl]: https://www.man7.org/linux/man-pages/man5/acl.5.html
+[man-getfacl]: https://www.man7.org/linux/man-pages/man1/getfacl.1.html
+[man-setfacl]: https://www.man7.org/linux/man-pages/man1/setfacl.1.html