Skip to content
Dev0 Docs

Facl

Tags: linux, permissions

Facl sets extended permissions on files and directories

Big X

Terminal window
  execute only if the file is a directory or already has
  execute permission for some user (X)
Terminal window
setfacl -R -m u:colleague:rwX .

Working with directories

Setting basic permissions with facl

Terminal window
$ mkdir testificate_dir


$ ls -al
total 0
drwxr-xr-x. 3 piper domain users  29 Aug 10 14:26 .
drwx------. 6 piper domain users 185 Aug 10 14:20 ..
drwxr-xr-x. 2 piper domain users   6 Aug 10 14:26 testificate_dir


$ setfacl -m u::7,g::7,o::0 testificate_dir


$ ls -al
total 0
drwxr-xr-x. 3 piper domain users  29 Aug 10 14:26 .
drwx------. 6 piper domain users 185 Aug 10 14:20 ..
drwxrwx---. 2 piper domain users   6 Aug 10 14:26 testificate_dir

Note that FACL can use numerical or alphabetical permissions. u::rwx and u::7 are the same thing and both are acceptable.

To remove permissions you can use 0 or -

Setting default inherited permissions

We will set 774 (rwx : rwx : r) as an inherited permission on testificate_dir then create a new dir under it. Notice the new dir was set to drwxrwxr--+

Terminal window
$ setfacl -dm u::7,g::7,o::r testificate_dir


$ ls -al testificate_dir/
total 0
drwxrwx---+ 3 piper domain users 18 Aug 10 14:31 .
drwxr-xr-x. 3 piper domain users 29 Aug 10 14:26 ..
drwxrwxr--+ 2 piper domain users  6 Aug 10 14:31 test

Give a user access to a directory, recursively and inherited

Terminal window
setfacl -R -dm u:jenkins:rwX ./ProjectDirectory

Viewing extended permissions

When a directory is affected by extended permissions it will have a + at the end of its permissions in ls -l. Check the permissions with getfacl.

When we run this we will see the 2 commands we ran earlier in effect.

testificate_dir/
$ getfacl testificate_dir/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::r--

Here we can see the test dir inherited the o::r and is continuing to distribute that inheritance.

testificate_dir/test/
$ getfacl testificate_dir/test/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::r--
default:user::rwx
default:group::rwx
default:other::r--

Removing extended permissions

Specific extended group

Terminal window
$ setfacl -x g:<group id> testificate_dir/

All

Extended permissions can be removed with -k (defaults) or -b (all).

testificate_dir/
$ setfacl -k testificate_dir/


$ getfacl testificate_dir/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::---


$ getfacl testificate_dir/test/
## file: testificate_dir/test/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::r--
default:user::rwx
default:group::rwx
default:other::r--

It did not remove permissions from the sub dir, as you can see above. Use -R to recurse.

testificate_dir/test/
$ setfacl -kR testificate_dir/


$ getfacl testificate_dir/test/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::r--

Working with files

Files inherit the same basic permissions but without execute. In the following example we set 777 on one directory and 700 on another. When we create a file in each directory we can see how it is 666 or 600 based on the parent directory.

Terminal window
$ setfacl -m u::7,g::0,o::0 none/


$ setfacl -m u::7,g::7,o::7 open/


$ setfacl -dm u::7,g::0,o::0 none/


$ setfacl -dm u::7,g::7,o::7 open/


$ getfacl none/ open/
## file: none/
## owner: piper
## group: domain\040users
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---


## file: open/
## owner: piper
## group: domain\040users
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx


$ ls -al none/ open/
none/:
total 0
drwx------+ 2 piper domain users 18 Aug 10 16:18 .
drwxr-xr-x. 5 piper domain users 53 Aug 10 16:17 ..
-rw-------. 1 piper domain users  0 Aug 10 16:18 test


open/:
total 0
drwxrwxrwx+ 2 piper domain users 18 Aug 10 16:18 .
drwxr-xr-x. 5 piper domain users 53 Aug 10 16:17 ..
-rw-rw-rw-. 1 piper domain users  0 Aug 10 16:18 test

Multiple groups

Using standard permissions you are only given user:group permissions, you cannot have a secondary group. FACL is able to set secondary group permissions.

Our base dir is only setup for one group, we want to add another that is RO.

domain\040users
$ getfacl .
# file: .
# owner: piper
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::r--

To modify the existing permissions and the default permissions we must run two commands.

In the commands of our last section we used g::<perms> by specifying a group or ID in between the :: we specifying a secondary group. (:: means the default base group)

Terminal window
$ setfacl -dm g:linuxadmins:rx .


$ setfacl -m g:linuxadmins:rx .


$ getfacl .
# file: .
# owner: piper
# group: domain\040users
user::rwx
group::rwx
group:linuxadmins:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:linuxadmins:r-x
default:mask::rwx
default:other::r--

We can make a directory in our current path to demonstrate the proper permissions were inherited.

test/
$ mkdir test


$ getfacl test/
# owner: piper
# group: domain\040users
user::rwx
group::rwx
group:linuxadmins:r-x
mask::rwx
other::r--
default:user::rwx
default:group::rwx
default:group:linuxadmins:r-x
default:mask::rwx
default:other::r--

ACL Entries

setfacl recognizes the following ACL entry formats (spaces in the following formats are optional, but are included for legibility):

SyntaxMeaning
[d[efault]:] [u[ser]:]uid [:perms]Permissions of the user with user ID uid, or permissions of the file’s owner if uid is empty.
[d[efault]:g[roup]:gid [:perms]Permissions of the group with group ID gid, or permissions of the owning group if gid is empty.
[d[efault]:m[ask][:] [:perms]Effective rights mask.
[d[efault]:o[ther][:] [:perms]Permissions of others.

Masks

Relates to [[umask]]

To set the umask on a directory (to override 077 STIG) use the following:

Terminal window
setfacl -R -d -m mask:07 ./dir

This would allow the creation of project directories, shared executables etc where grwx when the default umask would make new files have no group permissions.

Sources:
  • https://access.redhat.com/solutions/69060
  • https://unix.stackexchange.com/questions/209487/how-can-i-use-setfacl-to-give-no-access-to-other-users
  • https://www.computerhope.com/unix/usetfacl.htm
  • https://serverfault.com/questions/227852/what-does-a-mean-at-the-end-of-the-permissions-from-ls-l