Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.
Red Hat Enterprise Linux-7 System Administrators Guide
The access control list provides an additional permission method for file systems, allowing you to grant permissions for any user or group to any disk resource.
Note: For these exercises, we will use the users and groups created in this previous post.
$ tail -8 /etc/group rachel:x:1001: ross:x:1002: monica:x:1003: chandler:x:1004: phoebe:x:1005: joey:x:1006: friends_girls:x:1007:monica,rachel,phoebe friends_guys:x:1008:chandler,ross,joey
To see the acl of a directory, we use the getfacl command:
[root@cliente1 serie]# getfacl friends_guys/ file: friends_guys/ owner: root group: friends_guys flags: -st user::rwx group::rwx other::--- [root@cliente1 serie]# getfacl friends_girls/ file: friends_girls/ owner: root group: friends_girls flags: -st user::rwx group::rwx other::--- ** In this case, acl has not yet been applied to these directories **
Exercise I
The group friends_guys must be able to read and write in friends_girls directory.
Apply the ACL
[root@cliente1 serie]#setfacl -Rm g:friends_guys:rwX /serie/friends_girls/
---------------------
R : recursively(because there are already files inside in this case)
m : modify
g : group
X : eXecution permission("ls" and "cd") over directories not over files.
Create the default ACL
note: You should always apply a second ACL (default ACL) when an ACL was applied to a directory.
[root@cliente1 serie]# setfacl -m d:g:friends_guys:rwx /serie/friends_girls/ --------------------- d : default
and check:
[root@cliente1 serie]# getfacl friends_girls/ file: friends_girls/ owner: root group: friends_girls flags: -st user::rwx group::rwx group:friends_guys:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:friends_guys:rwx default:mask::rwx default:other::--- [root@cliente1 serie]# ls -als friends_girls/ total 4 0 drwxrws--T+ 2 root friends_girls 17 May 20 22:53 . 0 drwxr-xr-x. 4 root root 47 May 16 21:41 .. 4 -rw-rw-r--+ 1 monica friends_girls 36 May 20 22:55 123
in construction…