From 79c6db822b3598ba42faf82be8c5c50dbbf152a0 Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Sun, 11 Jun 2023 16:10:34 +0200 Subject: acl: notes on posix access control list --- src/linux/README.md | 1 + src/linux/acl.md | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 src/linux/acl.md (limited to 'src/linux') diff --git a/src/linux/README.md b/src/linux/README.md index 0cd68a5..ba63829 100644 --- a/src/linux/README.md +++ b/src/linux/README.md @@ -6,3 +6,4 @@ - [cryptsetup](./cryptsetup.md) - [swap](./swap.md) - [input](./input.md) +- [acl](./acl.md) diff --git a/src/linux/acl.md b/src/linux/acl.md new file mode 100644 index 0000000..e2e69a5 --- /dev/null +++ b/src/linux/acl.md @@ -0,0 +1,78 @@ +# access control list (acl) + +> This describes `POSIX` acl. + +The access control list provides a flexibel permission mechanism next to the +`UNIX` file permissions. This allows to specify fine grained permissions for +users/groups on filesystems. + +Filesystems which support acl typically have an `acl` option, which must be +specified while mounting when it is not a default option. +Filesystems must be mounted with the `acl` option if not enabled as default +option. + +Files or folder that have an `acl` defined, can be identified by the `+` sign +next to the UNIX permissions. + +The following shows on example for a zfs filesystem. +```bash +# mount | grep tank +tank on /tank type zfs (rw,xattr,noacl) +tank/foo on /tank/foo type zfs (rw,xattr,posixacl) + +# ls -h /tank +drwxrwxr-x+ 2 root root 4 11. Jun 14:26 foo/ +``` + +## Show acl entries +```bash +# List current acl entries. +getfacl /tank/foo +``` + +## Modify acl entries +```bash +# Add acl entry for user "user123". +setfacl -m "u:user123:rwx" /tank/foo + +# Remove entry for user "user123". +setfacl -x "u:user123" /tank/foo + +# Add acl entry for group "group456". +setfacl -m "g:group456:rx" /tank/foo + +# Add acl entry for others. +setfacl -m "o:rx" /tank/foo + +# Remove extended acl entries. +setfacl -b /tank/foo +``` + +## Masking of acl entries +The `mask` defines the maximum access rights that can be given to **users** and +**groups**. + +```bash +# Update the mask. +setfacl -m "m:rx" /tank/foo + +# List acl entries. +getfacl /tank/foo +# file: tank/foo +# owner: root +# group: root +user::rwx +user:user123:rwx # effective:r-x +group::r-x +mask::r-x +other::rwx +``` + +## References +- [acl(5)][man-acl] +- [getfacl(1)][man-getfacl] +- [setfacl(1)][man-setfacl] + +[man-acl]: https://www.man7.org/linux/man-pages/man5/acl.5.html +[man-getfacl]: https://www.man7.org/linux/man-pages/man1/getfacl.1.html +[man-setfacl]: https://www.man7.org/linux/man-pages/man1/setfacl.1.html -- cgit v1.2.3