brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f53f60aac8483879f2cca1bfb0832074f4f46065
oam/knowledge base/acl.md
Michele Cereda bcd597f9ea chore: better acl-related information in articles
2023-09-17 19:07:40 +02:00

7.7 KiB
Raw Blame History

Access Control Lists assignment

Table of contents

  1. TL;DR
  2. Set default permissions for files and directories
    1. Posix
    2. NFSv4
  3. Further readings

TL;DR

When setting permissions, the execute flag can be set to the uppercase X instead of the lowercase x.
The uppercase X permission allows execution only if the target is a directory or if the execute permission has already been set for the user or group.

BSD systems use NFSv4 ACLs by default in ZFS. List of NFSv4 permission tags and inheritance options.

# Install the tool.
apt install 'acl'
dnf install 'acl'

# Show ACLs.
getfacl 'path/to/file'

# Set permissions for users.
setfacl -m 'u::r-x' 'path/to/file'
setfacl -m 'u::rwX' 'path/to/dir'
setfacl -m 'u:username:r-x' 'path/to/file'
setfacl -m 'u:username:rwX' 'path/to/dir'

# Add permissions for users.
# Position number starts from 0.
setfacl -a '1' 'u:username:rwx' 'path/to/file'
setfacl -a '2' 'u::rwX' 'path/to/dir'
setfacl -a '5' 'owner@:rw-p-daARWcCos::allow' 'path/to/file'
setfacl -a '6' 'owner@:rwxpDdaARWcCos::allow' 'path/to/dir'

# Set permissions for groups.
setfacl -m 'g::r-x' 'path/to/file'
setfacl -m 'g::rw-' 'path/to/dir'
setfacl -m 'g:username:r-x' 'path/to/file'
setfacl -m 'g:username:rwX' 'path/to/dir'

# Add permissions for groups.
# Position number starts from 0.
setfacl -a '2' 'g:groupname:r-x' 'path/to/file'
setfacl -a '4' 'g::rw-' 'path/to/dir'
setfacl -a '7' 'group@:r--p--aAR-c--s::allow' 'path/to/file'
setfacl -a '8' 'group@:r-xp--aAR-c--s::allow' 'path/to/dir'

# Add permissions for everyone else (others).
# Position number starts from 0.
setfacl -a '3' 'o::r-x' 'path/to/file'
setfacl -a '3' 'o::r-X' 'path/to/dir'
setfacl -a '9'  'everyone@:r-----a-R-c---::allow' 'path/to/file'
setfacl -a '10' 'everyone@:r-x---a-R-c---::allow' 'path/to/dir'

# Change multiple permissions in one command.
setfacl -m 'u::rw,g::r' 'path/to/file'
setfacl -m 'u::rwX,g::rwX,o::rx' 'path/to/dir'

# Make children files and directories inherit acls.
# A.K.A. set 'default' ACLs.
setfacl -dm 'u:dummy:rw' 'path/to/file'
setfacl -m 'default:u::rwX,g::rX,o:r' 'path/to/dir'
setfacl -a '11'    'group@:r-----a-R-c---:f------:allow' 'path/to/file'
setfacl -a '12' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'

# Remove specific acls.
setfacl -x 'u:dummy:rw' 'test'

# Remove all ACL entries except for the ones synthesized from the file mode.
# If a 'mask' entry was in them, the resulting ACLs will be set accordingly.
setfacl -b 'path/to/file'

Set default permissions for files and directories

Suppose you want a folder to set the default permissions of newly created files and directories to 0664 (-rw-rw-r--) and 0775 (drwxrwxr-x) respectively.
The best way to achieve this would be to set up it's ACLs accordingly.

Posix

Who ACL Type Permissions Flags Translated getfacl Tags Resulting Unix Permissions
user Allow Read, Write File Inherit default:user::rw- -rw-------
user Allow Read, Write, Execute Directory Inherit default:user::rwX drwx------
group Allow Read, Write File Inherit default:group::rw- ----rw----
group Allow Read, Write, Execute Directory Inherit default:group::rwX d---rwx---
other Allow Read, Write File Inherit default:other::rw- -------rw-
other Allow Read, Write, Execute Directory Inherit default:other::rwX d------rwx 
setfacl -dm 'u::rwX' 'path/to/dir'
setfacl -dm 'g::rwX' 'path/to/dir'
setfacl -dm 'o::r-X' 'path/to/dir'

# Or, in one go.
setfacl -dm 'u::rwX,g::rwX,o::rX' 'path/to/dir'

NFSv4

Who ACL Type Permissions Flags Translated getfacl Tags Resulting Unix Permissions
owner@ Allow Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Read Attributes, Write Attributes
Delete
Read ACL, Write ACL
Write Owner
Synchronize		 File Inherit owner@:rw-p-daARWcCos:f------:allow -rw-------
owner@ Allow Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Execute
Read Attributes, Write Attributes
Delete, Delete Child
Read ACL, Write ACL
Write Owner
Synchronize		 Directory Inherit owner@:rwxpDdaARWcCos:-d-----:allow drwx------
group@ Allow Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Read Attributes, Write Attributes
Delete
Read ACL, Write ACL
Write Owner
Synchronize		 File Inherit group@:rw-p-daARWcCos:f------:allow ----rw----
group@ Allow Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Execute
Read Attributes, Write Attributes
Delete, Delete Child
Read ACL, Write ACL
Write Owner
Synchronize		 Directory Inherit group@:rwxpDdaARWcCos:-d-----:allow d---rwx---
everyone@ Allow Read Data
Read Named Attributes
Read Attributes
Read ACL		 File Inherit everyone@:r-----a-R-c---:f------:allow -------r--
everyone@ Allow Read Data
Read Named Attributes
Execute
Read Attributes
Read ACL		 Directory Inherit everyone@:r-x---a-R-c---:-d-----:allow d------r-x 
setfacl -m        'owner@:rw-p-daARWcCos:f------:allow' 'path/to/dir'
setfacl -a '1'    'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
setfacl -m        'group@:r--p--aAR-c--s:f------:allow' 'path/to/dir'
setfacl -a '3'    'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
setfacl -m     'everyone@:r-----a-R-c---:f------:allow' 'path/to/dir'
setfacl -a '5' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'

Further readings