mirror of
https://gitea.com/mcereda/oam.git
synced 2026-02-09 05:44:23 +00:00
5.7 KiB
5.7 KiB
Access Control Lists assignment
Table of contents
TL;DR
List of permission tags and inheritance options.
# Install the tool.
apt install 'acl'
dnf install 'acl'
# Show ACLs.
getfacl 'test/declarations.h'
# Set permissions for users.
setfacl -m 'u:username:rwx' 'test/declarations.h'
# Add permissions for users.
# Position number starts from 0.
setfacl -a '1' 'u:username:rwx' 'test/declarations.h'
setfacl -a '5' 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/file'
setfacl -a '6' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
# Set permissions for groups.
setfacl -m "g:groupname:r-x" 'test/declarations.h'
# Add permissions for groups.
# Position number starts from 0.
setfacl -a '2' 'g:groupname:r-x' 'test/declarations.h'
setfacl -a '7' 'group@:r--p--aAR-c--s:f------:allow' 'path/to/file'
setfacl -a '8' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
# Add permissions for everyone else (others).
# Position number starts from 0.
setfacl -a '3' 'o::r-x' 'test/declarations.h'
setfacl -a '9' 'everyone@:r-----a-R-c---:f------:allow' 'path/to/file'
setfacl -a '10' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
# Make children files and directories inherit acls.
# A.K.A. sets default ACLs.
setfacl -d -m 'u:dummy:rw' 'test'
# Remove specific acls.
setfacl -x 'u:dummy:rw' 'test'
# Remove all ACL entries except for the ones synthesized from the file mode.
# If a 'mask' entry was in them, the resulting ACLs will be set accordingly.
setfacl -b 'test/declarations.h'
Set default permissions for files and directories
Suppose you want a folder to set the default permissions of newly created files and directories to 0664 (-rw-rw-r--) and 0775 (drwxrwxr-x) respectively.
The best way to achieve this would be to set up it's ACLs accordingly:
| Who | ACL Type | Permissions | Flags | Translated getfacl Tags |
Resulting Unix Permissions |
|---|---|---|---|---|---|
| owner@ | Allow | Read Data, Write Data, Append Data Read Named Attributes, Write Named Attributes Read Attributes, Write Attributes Delete Read ACL, Write ACL Write Owner Synchronize |
File Inherit | owner@:rw-p-daARWcCos:f------:allow |
-rw------- |
| owner@ | Allow | Read Data, Write Data, Append Data Read Named Attributes, Write Named Attributes Execute Read Attributes, Write Attributes Delete, Delete Child Read ACL, Write ACL Write Owner Synchronize |
Directory Inherit | owner@:rwxpDdaARWcCos:-d-----:allow |
drwx------ |
| group@ | Allow | Read Data, Write Data, Append Data Read Named Attributes, Write Named Attributes Read Attributes, Write Attributes Delete Read ACL, Write ACL Write Owner Synchronize |
File Inherit | group@:rw-p-daARWcCos:f------:allow |
----rw---- |
| group@ | Allow | Read Data, Write Data, Append Data Read Named Attributes, Write Named Attributes Execute Read Attributes, Write Attributes Delete, Delete Child Read ACL, Write ACL Write Owner Synchronize |
Directory Inherit | group@:rwxpDdaARWcCos:-d-----:allow |
d---rwx--- |
| everyone@ | Allow | Read Data Read Named Attributes Read Attributes Read ACL |
File Inherit | everyone@:r-----a-R-c---:f------:allow |
-------r-- |
| everyone@ | Allow | Read Data Read Named Attributes Execute Read Attributes Read ACL |
Directory Inherit | everyone@:r-x---a-R-c---:-d-----:allow |
d------r-x |
# Set default permissions of '0664' for files and '0775' for directories.
# Includes ACL-type permissions accordingly.
setfacl -m 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/dir'
setfacl -a '1' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
setfacl -m 'group@:r--p--aAR-c--s:f------:allow' 'path/to/dir'
setfacl -a '3' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
setfacl -m 'everyone@:r-----a-R-c---:f------:allow' 'path/to/dir'
setfacl -a '5' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'