File Access Control List (FACL) allows you to grant permissions for users on directories and files. Chmod allows to set permission for user, group and others, but it does not work when you need to add other users to have access to same file/directories. FACL is useful in these situations, for example allowing non-privileged user to view a single file. FACLs are set and retrieved using setfacl & getfacl commands respectively.
Let’s go over some examples to understand this better. Most common use case would be granting access to log files.
To retrieve existing FACLs set on a file,
[root@ol7 log]# pwd
/var/log
[root@ol7 log]# getfacl yum.log
#file: yum.log
#owner: root
#group: root
user::rw-
group::—
other::—
To set FACLs for oracle user,
[root@ol7 log]# setfacl -m user:oracle:rw- yum.log
[root@ol7 log]# getfacl yum.log
#file: yum.log
#owner: root
#group: root
user::rw-
user:oracle:rw-
group::—
mask::rw-
other::—
[root@ol7 log]# ll yum.log
-rw-rw—-+ 1 root root 223 Jul 18 16:47 yum.log
You can see that oracle user has read and write permissions to yum.log file. Any file with FACLs set, you will notice “+” sign added at the end of the permissions as shown in ls command.
To remove all FACLs permissions,
[root@ol7 log]# setfacl -b yum.log
[root@ol7 log]# getfacl yum.log
#file: yum.log
#owner: root
#group: root
user::rw-
group::—
other::—
To set ACLs at directory level including on files.
[root@ol7 var]# setfacl -R -m user:oracle:rw- log
Here is the complete list of arguments available for getfacl & setfacl commands.
[root@ol7 log]# getfacl -h
getfacl 2.2.51 — get file access control lists
Usage: getfacl [-aceEsRLPtpndvh] file …
-a, –access display the file access control list only
-d, –default display the default access control list only
-c, –omit-header do not display the comment header
-e, –all-effective print all effective rights
-E, –no-effective print no effective rights
-s, –skip-base skip files that only have the base entries
-R, –recursive recurse into subdirectories
-L, –logical logical walk, follow symbolic links
-P, –physical physical walk, do not follow symbolic links
-t, –tabular use tabular output format
-n, –numeric print numeric user/group identifiers
-p, –absolute-names don’t strip leading ‘/’ in pathnames
-v, –version print version and exit
-h, –help this help text
[root@ol7 log]# setfacl -h
setfacl 2.2.51 — set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X … } file …
-m, –modify=acl modify the current ACL(s) of file(s)
-M, –modify-file=file read ACL entries to modify from file
-x, –remove=acl remove entries from the ACL(s) of file(s)
-X, –remove-file=file read ACL entries to remove from file
-b, –remove-all remove all extended ACL entries
-k, –remove-default remove the default ACL
–set=acl set the ACL of file(s), replacing the current ACL
–set-file=file read ACL entries to set from file
–mask do recalculate the effective rights mask
-n, –no-mask don’t recalculate the effective rights mask
-d, –default operations apply to the default ACL
-R, –recursive recurse into subdirectories
-L, –logical logical walk, follow symbolic links
-P, –physical physical walk, do not follow symbolic links
–restore=file restore ACLs (inverse of `getfacl -R’)
–test test mode (ACLs are not modified)
-v, –version print version and exit
-h, –help this help text