Create and manage Access Control Lists (ACLs)

Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.

Red Hat Enterprise Linux-7 System Administrators Guide

The access control list provides an additional permission method for file systems, allowing you to grant permissions for any user or group to any disk resource.

Note: For these exercises, we will use the users and groups created in this previous post.

$ tail -8 /etc/group
 rachel:x:1001:
 ross:x:1002:
 monica:x:1003:
 chandler:x:1004:
 phoebe:x:1005:
 joey:x:1006:
 friends_girls:x:1007:monica,rachel,phoebe
 friends_guys:x:1008:chandler,ross,joey

To see the acl of a directory, we use the getfacl command:

[root@cliente1 serie]# getfacl friends_guys/
 file: friends_guys/
 owner: root
 group: friends_guys
 flags: -st
 user::rwx
 group::rwx
 other::---
 
[root@cliente1 serie]# getfacl friends_girls/
 file: friends_girls/
 owner: root
 group: friends_girls
 flags: -st
 user::rwx
 group::rwx
 other::---

** In this case, acl has not yet been applied to these directories **

Exercise I

The group friends_guys must be able to read and write in friends_girls directory.

Apply the ACL

[root@cliente1 serie]#setfacl -Rm g:friends_guys:rwX /serie/friends_girls/
---------------------
R : recursively(because there are already files inside in this case)
m : modify
g : group
X : eXecution permission("ls" and "cd") over directories not over files.

Create the default ACL

note: You should always apply a second ACL (default ACL) when an ACL was applied to a directory.

[root@cliente1 serie]# setfacl -m d:g:friends_guys:rwx /serie/friends_girls/
---------------------
d : default

and check:

[root@cliente1 serie]# getfacl friends_girls/
 file: friends_girls/
 owner: root
 group: friends_girls
 flags: -st
 user::rwx
 group::rwx
 group:friends_guys:rwx
 mask::rwx
 other::---
 default:user::rwx
 default:group::rwx
 default:group:friends_guys:rwx
 default:mask::rwx
 default:other::---

[root@cliente1 serie]# ls -als friends_girls/
 total 4
 0 drwxrws--T+ 2 root   friends_girls 17 May 20 22:53 .
 0 drwxr-xr-x. 4 root   root          47 May 16 21:41 ..
 4 -rw-rw-r--+ 1 monica friends_girls 36 May 20 22:55 123

in construction…