If you require more controls on file permissions, ACL (a.k.a Access Control Lists) might be a nice choice. ACL goes beyond normal user-group based permission control and allow setting permissions on per individual user or group basis.
ACLs are a great option when you want to grant permissions without creating entire user groups. They are also great when you need to allow your non-super-users the ability to set permissions. You still have to be the main owner of a file to modify its permissions, though.
Proceed with caution!
ACLs can cause mysterious permission errors that are not immediately obvious to someone who isn’t aware of them. For this very reason, ACLs are enabled but not used by default in the latest RHEL / CentOS.
To check if your ext3 filesystem has the proper default options, use tune2fs. Look for “Default mount options:” with acl set. Let’s assume we have /dev/sdb1 mounted on /datum and we want to enable the acl option.
[root@tags ~]# tune2fs -l /dev/sdb1
To enable ACLs on a filesystem, we must set the fs default and remount:
[root@tags ~]# tune2fs -o acl /dev/sdb1 [root@tags ~]# mount -o remount,acl /datum
Use getfacl to view ACLs:
[root@tags ~]# touch /datum/foo.txt [root@tags ~]# getfacl /datum/foo.txt getfacl: Removing leading '/' from absolute path names # file: datum/foo.txt # owner: root # group: root user::rw- group::r-- other::r--
Use setfacl to set ACLs, with -m to modify and -x to remove a given ACL. Give user joseph read + write + execute on this file:
[root@tags ~]# setfacl -m u:joseph:rwx /datum/foo.txt
give group peeps read+write on a file:
[root@tags ~]# setfacl -m geeps:rx /datum/foo.txt
remove joseph’s ACL permissions:
[root@tags ~]# setfacl -x u:joseph /datum/foo.txt
set the default ACL permissions on a directory:
[root@tags ~]# setfacl -m d:geeps:rw /datum/stuff/
revoke write permission for everyone:
[root@tags ~]# setfacl -m m::rx /datum/foo.txt
When ACLs are present, a “ls -l” will show a plus sign to notify you:
[root@tags ~]# ls -l /datum/foo.txt -rw-rwxr--+ 1 root root 0 Dec 3 14:54 /datum/foo.txt
Note that the mv and cp -p commands will preserve ACLs. If you have defaults set on a parent directory, new files in that directory will inherit those settings.
If you want to remove all ACLs, reverting back to the base unix permissions of owner, group and other:
[root@tags ~]# setfacl --remove-all /datum/foo.txt