setfacl

Set file access control list

Supplementary instructions

setfacl command is used to set ACL (access control list) on the command line. On the command line, a series of commands is followed by a series of file names.

Options

-b, --remove-all: Remove all extended acl rules, basic acl rules (owner, group, other) will be retained.
-k, --remove-default: Delete the default acl rule. If there is no default rule, no prompt will be given.
-n, --no-mask: Do not recalculate effective permissions. setfacl will recalculate the ACL mask by default unless the mask is explicitly specified.
--mask: Recalculate effective permissions even if ACL mask is explicitly specified.
-d, --default: Set the default acl rule.
--restore=file: Restore backed-up acl rules from files (these files can be generated by getfacl -R). Through this mechanism, acl rules for the entire directory tree can be restored. This parameter cannot be executed with any parameter except --test.
--test: Test mode, the acl rules of any file will not be changed, and the acl specifications after the operation will be listed.
-R, --recursive: Operate all files and directories recursively.
-L, --logical: Track symbolic links. By default, only symbolic link files are tracked, and symbolic link directories are skipped.
-P, --physical: Skip all symbolic links, including symbolic link files.
--version: Output the version number of setfacl and exit.
--help: Output help information.
--: Indicates the end of the command line parameters, and all subsequent parameters will be considered file names.
-: If the filename is -, setfacl will read the filename from standard input.

• Options -m and -x are followed by acl rules. Multiple ACL rules are separated by commas (,). Options -M and -X are used to read acl rules from a file or standard input.
• The options --set and --set-file are used to set acl rules for files or directories. The previous settings will be overwritten.
• The -m(--modify) and -M(--modify-file) options modify the acl rules of a file or directory.
• Options -x(--remove) and -X(--remove-file) options remove acl rules.

When using the -M, -X options to read rules from a file, setfacl accepts the format output by the getfacl command. At least one rule per line, lines starting with # will be treated as comments.

When using the setfacl command on a file system that does not support ACLs, setfacl will modify the file permission bits. If the acl rule does not exactly match the file permission bits, setfacl will modify the file permission bits to reflect the acl rule as much as possible, and will send an error message to standard error and return it with a status greater than 0.

Permissions

The file's owner and user processes with CAP_FOWNER can set a file's acl. (On current Linux systems, the root user is the only user with the CAP_FOWNER capability)

ACL Rules

The setfacl command can recognize the following rule formats:

[d[efault]:] [u[ser]:]uid [:perms] Specifies the user's permissions and the file owner's permissions (if uid is not specified).
[d[efault]:] g[roup]:gid [:perms] Specifies the permissions of the group, the permissions of all groups on the file (if gid is not specified)
[d[efault]:] m[ask][:] [:perms] Effective permission mask
[d[efault]:] o[ther] [:perms] Other permissions

Appropriate acl rules are used in modification and setting operations. For uid and gid, you can specify a number or a name. The perms field is a combination of letters representing various permissions: read -r, write -w and execute -x. Execution is only suitable for directories and some executable files. The pers field can also be set to octal format.

Automatically created rules

Initially, the file directory contains only 3 basic acl rules. In order for the rules to execute properly, the following rules need to be met.

• 3 basic rules cannot be deleted.

• Any rule containing a specified username or group name must contain a valid permission combination.

• When any rule containing a default rule is used, the default rule must exist.

  ACL noun definition

First, let’s take a look at the definition of each noun in ACL. I picked most of these nouns from the man page. Although they are a bit boring, they are still very helpful for understanding the following content.

ACL is composed of a series of Access Entries. Each Access Entry defines the operation permissions that a specific category can have on files. Access Entry has three components: Entry tag type, qualifier (optional), and permission.

Let’s first take a look at the most important Entry tag type, which has the following types:

ACL_USER_OBJ: equivalent to file_owner permission in Linux
ACL_USER: Defines the permissions that additional users can have on this file
ACL_GROUP_OBJ: Equivalent to the permission of group in Linux
ACL_GROUP: defines the permissions that additional groups can have on this file
ACL_MASK: Defines the maximum permissions of ACL_USER, ACL_GROUP_OBJ and ACL_GROUP (I will discuss this specifically below)
ACL_OTHER: Equivalent to the permission of other in Linux

Let us explain with an example. Next we use the getfacl command to view a defined ACL file:

[root@localhost ~]# getfacl ./test.txt
# file: test.txt
# owner: root
#group:admin
user::rw-
user:john:rw-
group::rw-
group:dev:r--
mask::rw- other::r--

The first three starting with # define the file name, file owner and group. This information does not have much effect, and we can use --omit-header to omit it next.

user::rw- ACL_USER_OBJ is defined, indicating that the file owner has read and write permission
user:john:rw- defines ACL_USER, so that user john has read and write permissions on the file, achieving the goal we wanted to achieve at the beginning
group::rw- ACL_GROUP_OBJ is defined, indicating that the group of the file has read and write permission
group:dev:r-- defines ACL_GROUP so that the dev group has read permission for the file
mask::rw- defines the permissions of ACL_MASK as read and write
other::r-- defines the permission of ACL_OTHER as read

From here we can see that ACL provides the function that we can define specific users and user groups, so let's take a look at how to set the ACL of a file:

How to set up the ACL file

First of all, we still need to talk about the format of setting the ACL file. From the above example, we can see that each Access Entry is composed of three fields separated by : characters. The first one is the Entry tag type.

user corresponds to ACL_USER_OBJ and ACL_USER
group corresponds to ACL_GROUP_OBJ and ACL_GROUP
mask corresponds to ACL_MASK
other corresponds to ACL_OTHER

The second field is called qualifier, which is the john and dev groups in the above example. It defines the permissions of specific users and support groups on the file. Here we can also find that only user and group have qualifiers, and the others are empty. The third field is the permission we are familiar with. It is defined the same as Linux permission, so I won’t go into details here.

Let's take a look at how to set the ACL of the test.txt file so that it can meet our above requirements.

Initially the file does not have the extra attributes of the ACL:

[root@localhost ~]# ls -l
-rw-rw-r-- 1 root admin 0 Jul 3 22:06 test.txt

[root@localhost ~]# getfacl --omit-header ./test.txt
user::rw- group::rw- other::r--

We first let user john have read and write permissions on the test.txt file:

[root@localhost ~]# setfacl -m user:john:rw- ./test.txt
[root@localhost ~]# getfacl --omit-header ./test.txt
user::rw-
user:john:rw-
group::rw-
mask::rw-
other::r--

At this time we can see that user john already has read and write rights to the file in the ACL. At this time, if we look at the Linux permission, we will find a difference.

[root@localhost ~]# ls -l ./test.txt
-rw-rw-r--+ 1 root admin 0 Jul 3 22:06 ./test.txt

There is an extra + sign at the end of the file permission. When any file has the value of ACL_USER or ACL_GROUP, we can call it an ACL file. This + sign is used to remind us. We can also find that ACL_MASK is also defined when a file has the value of ACL_USER or ACL_GROUP.

Next we set the dev group to have read permission:

[root@localhost ~]# setfacl -m group:dev:r-- ./test.txt
[root@localhost ~]# getfacl --omit-header ./test.txt
user::rw-
user:john:rw-
group::rw-
group:dev:r--
mask::rw-
other::r--

At this point, we have completed the requirements we mentioned above. Isn’t it very simple?

ACL_MASK and Effective permission

Here we need to focus on ACL_MASK, because this is another key to mastering ACL. Everyone knows that in Linux file permission, for example, for rw-rw-r--, the rw- in it refers to permission of the file group. But in ACL this situation is only true when ACL_MASK does not exist. If the file has an ACL_MASK value, then the rw- represents the mask value instead of the group permission.

Let's look at the following example:

[root@localhost ~]# ls -l
-rwxrw-r-- 1 root admin 0 Jul 3 23:10 test.sh

This shows that the test.sh file only has the file owner: root with read, write, execute/search permission. The admin group only has read and write permission. Now we want user john to also have the same permission as root for test.sh.

[root@localhost ~]# setfacl -m user:john:rwx ./test.sh
[root@localhost ~]# getfacl --omit-header ./test.sh
user::rwx user:john:rwx
group::rw-
mask::rwx
other::r--

Here we see that john already has the permission of rwx, and the mask value is also set to rwx. That is because it specifies the maximum values of ACL_USER, ACL_GROUP and ACL_GROUP_OBJ. Now let’s look at test.sh Linux permission, it has become:

[root@localhost ~]# ls -l
-rwxrwxr--+ 1 root admin 0 Jul 3 23:10 test.sh

So what will happen if a user in the admin group wants to execute the test.sh program? It will be permission denied. The reason is that users in the admin group actually only have read and write permission. The rwx displayed here is the value of ACL_MASK rather than the permission of the group.

So from here we can know that if there is a + mark after a file, we need to use getfacl to confirm its permission to avoid confusion.

Let's continue to look at an example. If we now set the mask of test.sh to read only, will users in the admin group still have write permission?

[root@localhost ~]# setfacl -m mask::r-- ./test.sh
[root@localhost ~]# getfacl --omit-header ./test.sh
user::rwx user:john:rwx
group::rw-
mask::rwx
other::r--

At this time we can see that there is #effective:r-- next to ACL_USER and ACL_GROUP_OBJ. What does this mean? Let's review the definition of ACL_MASK again. It specifies the maximum permissions for ACL_USER, ACL_GROUP_OBJ and ACL_GROUP. So in our example, their maximum permission is read only. Although we have set other permissions for ACL_USER and ACL_GROUP_OBJ here, they only have read permissions that really have an effect.

At this time, when we check the Linux file permission of test.sh, its group permission will also display the value of its mask (i.e. r--)

[root@localhost ~]# ls -l
-rwxr--r--+ 1 root admin 0 Jul 3 23:10 test.sh

Default ACL

All we talked about above are Access ACL, that is, for files. Let me briefly talk about Default ACL. Default ACL refers to setting the Default ACL for a directory, and all files created in this directory will inherit the ACL of this directory.

Similarly, let's do a test explanation. For example, now the root user has created a dir directory:

[root@localhost ~]# mkdir dir

He hopes that all files created in this directory can be accessed by user john, then we should set Default ACL on the dir directory.

[root@localhost ~]# setfacl -d -m user:john:rw ./dir
[root@localhost ~]# getfacl --omit-header ./dir
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:group::rwx
default:rwx
default: other::r-x

Here we can see that the ACL defines the default option, and the john user has the default read, write, excute/search permissions. All undefined defaults will be copied from the file permission. Now the root user creates a test.txt file under dir.

[root@localhost ~]# touch ./dir/test.txt
[root@localhost ~]# ls -l ./dir/test.txt
-rw-rw-r--+ 1 root root 0 Jul 3 23:46 ./dir/test.txt

[root@localhost ~]# getfacl --omit-header ./dir/test.txt
user::rw-
user:john:rw-
group::rwx #effective:rw-
mask::rw-
other::r--

Here we see that the file john created under dir automatically has read and write permission.

ACL related commands

In the previous examples, we all noticed that the getfacl command is used to read the ACL of the file, and setfacl is used to set the Access ACL of the file. There is also a chacl here which is used to change the Access ACL and Default ACL of files and directories. You can check the man page for its specific parameters. I just want to mention chacl -B. It can completely delete the ACL attributes of files or directories (including Default ACL). For example, even if you use setfacl -x to delete the ACL attributes of all files, the + sign will still appear at the end of the file, so the correct deletion method is It should be that when using chacl -B to copy files using cp we can now add the -p option. In this way, when copying a file, the ACL attributes of the file will also be copied, and a warning will be given for ACL attributes that cannot be copied.

The mv command will move the ACL attribute of the file by default and will also give a warning if the operation is not allowed.

Some things to note

If your file system does not support ACL, you may need to remount your file system:

mount -o remount, acl [mount point]

If you use the chmod command to change the Linux file permission, the corresponding ACL value will also change. Otherwise, if you change the ACL value, the corresponding file permission will also change.