Pawan Sharma | September 8, 2012 | | 19 Comments so far

Set Access Control List (ACL) in RHEL 6

In this post we will discuss about Access Control List in Redhat Enterprise Linux 6 to give permissions to different users and groups on file or directory. As discussed in the previous posts file/directory permissions can be set for the owner, group and other users. But what, if in a case, when we have to give different permissions to different users on the same file/directory. In such situation we can set ACL on file/directory to give different permissions to different users.

Before applying ACLs, you have to mount the partition, in which you want to set ACL, with “acl” option. We can mount the partition using mount command or can add “acl” option in /etc/fstab for that partition.

[root@PawanS1 ~]# mount -o remount,acl /appl


As shown in above picture we have added option “acl” in /etc/fstab file.
We can set ACLs on per user and per group basis, also we can modify acl mask.
To set ACL on a file or directory use command “setfacl” with -m option to add or modify current ACLs.

[root@PawanS1 ~]# setfacl -m acl_rule files


ACL RULES:

u:uid:permission :- This rule will set ACL for user with mentioned uid or user name of valid user.
g:gid:permission :- This rule will set ACL for group with mentioned gid or grou pname of valid group.
m:permission :- This will update the umask of ACL.

Note: “permission” mentioned above in rule can be combination of read(r), write(w) and execute(x).

Let’s take some examples of ACL:

Give read and execute permission to user usaid on file test.txt

[root@PawanS1 ~]# setfacl -m u:usaid:r-x test.txt

Give read, write and execute permissions to group admin on directory /servers recursively.

[root@PawanS1 ~]# setfacl -Rm g:admin:rwx /servers


Note: If possible use uid/gid to add/change acl, as username starting with a numeric character will have problem while adding access control list.

Some of the options used with setfacl command.

-b : Remove all extended ACL entries.
-d : Grant default ACL.
-m : Modify and Add ACLs.
-R : Apply ACL recursively on subdirectories.
-x : Remove particular ACL entry.

Remove all permissions of user siddharth on file test.txt

[root@PawanS1 ~]# setfacl -x u:siddharth /servers

A file on which ACL is set have “+” in last of permission column in “ls -l” output.

[root@PawanS1 ~]# ls -l shared_file.txt
-rw-rwxr--+ 1 root root 43 Aug 29 12:20 shared_file.txt

To view the current ACLs on a file or directory we can use “getfacl” command. Below example shows acl applied on a file named shared_file.txt

[root@PawanS1 ~]# getfacl shared_file.txt

# file: shared_file.txt
# owner: root
# group: root
user::rw-
user:siddharth:r--
user:usaid:rw-
user:ramswaroop:r-x
group::r--
mask::rwx
other::r--

In the above example you can see that owner and group of the file is root and user “siddharth” have read access, user “usaid” have read and write permission and user “ramswaroop” have read and execute permission on the file shared_file.txt.

For any queries please post comments.