Software » Linux OS
File ACL permission
By default home directories on our Linux servers are only readable by their owner (and webservers). There are legitimate reasons to want other users to be able to access some subdirectories or files, for example, shared CVS repositories, shared file access, etc. The tools used to grant and view this access are
'setfacl'and 'getfacl'. Please note that by using these tools incorrectly, one can give more access than intended, so use with care.The utilities modify the ACLs (Access Control List) for files and directories, which tell the system who is allowed to perform certain operations. 'setfacl' is used to modify the list, and 'getfacl' is used to display the current permissions.
Listing current access rights
Listing current users/group with access is fairly straigtforward, just issue the command:
getfacl filename
Several lines will be displayed, and each line shows access for a user or group. If you look closely you will notice that three lines don't have a username or groupname (like user::rwx). These are the basic system permissions not in the ACL, but are displayed so you don't forget about them.
Setting access rights
To give another user access is you specify how you want to modify the ACL and what user or group you want to change access for. For example, to add the username johnsmith to the file projectfile type this command:
setfacl -m u:johnsmith:r projectfile
In this example we used "-m" to indicate that we want to modify the list by adding an additional record. The segment "u:johnsmith:r" is actually three sections, the first says whether we are talking about user or group permissions, the second gives the user or group name, and the third tells what permissions to give (unix-type systems have three permissions - read, write and execute). After executing the above command, the user johnsmith would be able to read the file named projectfile, but not change anything in it. These changes should be reflected immediately by a getfacl command.
If you later decide that you no longer want johnsmith to access that file, you can remove an entry from the ACL by issuing:
setfacl -x u:johnsmith projectfile
For more information about these commands you may also consult the manual pages by running 'man getfacl' or 'man setfacl'.
For a further explanation about unix file and directory permissions, please see the FAQ specific to that topic.
Last update: 2006-12-04 10:04
Author: Joel Johnson
Revision: 1.0
