This is an article in addition to article ACL on Linux -- POSIX Access control list on linux

Setfacl - set file access control lists

DESCRIPTION

This utility sets Access Control Lists (ACLs) of files and directories. On the command line, a sequence of commands is followed by a sequence of files (which in turn can be followed by another sequence of commands, ...).

The options -m, and -x expect an ACL on the command line. Multiple ACL entries are separated by comma characters (‘,’). The options -M, and -X read an ACL from a file or from standard input. The ACL entry format is described in Section ACL ENTRIES.

The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries for this operation must include permissions.

The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory. ACL entries for this operation must include permissions.

The -x (--remove) and -X (--remove-file) options remove ACL enries. Only ACL entries without the perms field are accepted as parameters, unless POSIXLY_CORRECT is defined.

When reading from files using the -M, and -X options, setfacl accepts the output getfacl produces. There is at most one ACL entry per line. After a Pound sign (‘#’), everything up to the end of the line is treated as a comment.

Same as getfacl, if setfacl is used on a file system which does not support ACLs, setfacl operates on the file mode permission bits. If the ACL does not fit completely in the permission bits, setfacl modifies the file mode permission bits to reflect the ACL as closely as possible, writes an error message to standard error, and returns with an exit status greater than 0.

Example 1 Granting an additional user read access

setfacl -m u:lisa:r file

Example 2 Revoking write access from all groups and all named users (using the effective rights mask)

setfacl -m m::rx file

Example 3 Removing a named group entry from a file’s ACL

$ setfacl -x Tim johntest
$ getfacl --omit-head --access johntest
user::rwx
user:john:rwx
group::r-x
mask::rwx
other::r-x

Example 4 Copying the ACL of one file to another

getfacl file1 | setfacl --set-file=- file2

Example 5 Copying the access ACL into the Default ACL

getfacl --access dir | setfacl -d -M- dir

Example 6 remove all ACL from file

$ setfacl -b johntest
[john@dpool10 acltest]$ getfacl --omit-head --access johntest
user::rwx
group::r-x
other::r-x

Example 7 remove defalt ACL

$ setfacl -k johntest
$ getfacl --omit-head --default johntest

Example 8 -R Apply operations to all files and directories recursively.

This option cannot be mixed with ‘--restore’.

This command copy johntest2's ACLs then set all to dir johntest and its directories

getfacl johntest2 | setfacl -R --set-file=- johntest

 More detail about ACL ENTRIES

The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity):

[d[efault]:] [u[ser]:]uid [:perms]
Permissions of a named user. Permissions of the file owner if uid is empty.

[d[efault]:] g[roup]:gid [:perms]
Permissions of a named group. Permissions of the owning group if gid is empty.

[d[efault]:] m[ask][:] [:perms]
Effective rights mask

[d[efault]:] o[ther][:] [:perms]
Permissions of others.

Whitespace between delimiter characters and non-delimiter characters is ignored.

Proper ACL entries including permissions are used in modify and set operations. (options -m, -M, --set and --set-file). Entries without the perms field are used for deletion of entries (options -x and -X).

For uid and gid you can specify either a name or a number.

The perms field is a combination of characters that indicate the permissions: read (r), write (w), execute (x), execute only if the file is a directory or already has execute permission for some user (X). Alternatively, the perms field can be an octal digit (0-7).

 

Comments powered by CComment