7.6. POSIX Access Control Lists

POSIX Access Control Lists (ACLs) allow different permissions for different users or groups to be assigned to files or directories, independent of the original owner or the owning group.
For example, the user John creates a file. He does not allow anyone in the group to access the file, except for another user, Antony (even if there are other users who belong to the group john).
This means, in addition to the file owner, the file group, and others, additional users and groups can be granted or denied access by using POSIX ACLs.

7.6.1. Setting POSIX ACLs

Two types of POSIX ACLs are available: access ACLs, and default ACLs.
Use access ACLs to grant permission to a specific file or directory.
Use default ACLs to set permissions at the directory level for all files in the directory. If a file inside that directory does not have an ACL, it inherits the permissions of the default ACLs of the directory.
ACLs can be configured for each file:
  • Per user
  • Per group
  • Through the effective rights mask
  • For users not in the user group for the file

7.6.1.1. Setting Access ACLs

Access ACLs grant permission for both files and directories.
The # setfacl –m entry_typefile_name command sets and modifies access ACLs

setfaclentry_type Options

The ACL entry_type translates to the POSIX ACL representations of owner, group, and other.
Permissions must be a combination of the characters r (read), w (write), and x (execute). Specify the ACL entry_type as described below, separating multiple entry types with commas.
u:user_name:permissons
Sets the access ACLs for a user. Specify the user name, or the UID.
g:group_name:permissions
Sets the access ACLs for a group. Specify the group name, or the GID.
m:permission
Sets the effective rights mask. The mask is the combination of all access permissions of the owning group, and all user and group entries.
o:permissions
Sets the access ACLs for users other than the ones in the group for the file.
If a file or directory already has a POSIX ACL, and the setfacl command is used, the additional permissions are added to the existing POSIX ACLs or the existing rule is modified.
For example, to give read and write permissions to user antony:
# setfacl -m u:antony:rw /mnt/gluster/data/testfile

7.6.1.2. Setting Default ACLs

New files and directories inherit ACL information from their parent directory, if that parent has an ACL that contains default entries. Default ACL entries can only be set on directories.
The # setfacl -d --set entry_type directory command sets default ACLs for files and directories.

setfaclentry_type Options

The ACL entry_type translates to the POSIX ACL representations of owner, group, and other.
Permissions must be a combination of the characters r (read), w (write), and x (execute). Specify the ACL entry_type as described below, separating multiple entry types with commas.
u:user_name:permissons
Sets the access ACLs for a user. Specify the user name, or the UID.
g:group_name:permissions
Sets the access ACLs for a group. Specify the group name, or the GID.
m:permission
Sets the effective rights mask. The mask is the combination of all access permissions of the owning group, and all user and group entries.
o:permissions
Sets the access ACLs for users other than the ones in the group for the file.
For example, run # setfacl -d --set o::r /mnt/gluster/data to set the default ACLs for the /data directory to read-only for users not in the user group,

Note

An access ACL set for an individual file can override the default ACL permissions.
Effects of a Default ACL
The following are the ways in which the permissions of a directory's default ACLs are passed to the files and subdirectories in it:
  • A subdirectory inherits the default ACLs of the parent directory both as its default ACLs and as an access ACLs.
  • A file inherits the default ACLs as its access ACLs.

7.6.2. Retrieving POSIX ACLs

Run the # getfacl command to view the existing POSIX ACLs for a file or directory.
# getfacl path/filename
View the existing access ACLs of the sample.jpg file using the following command.
# getfacl /mnt/gluster/data/test/sample.jpg
# owner: antony
# group: antony
user::rw-
group::rw-
other::r--
# getfacl directory name
View the default ACLs of the /doc directory using the following command.
# getfacl /mnt/gluster/data/doc
# owner: antony
# group: antony
user::rw-
user:john:r--
group::r--
mask::r--
other::r--
default:user::rwx
default:user:antony:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

7.6.3. Removing POSIX ACLs

Run # setfacl -x ACL entry_type file to remove all permissions for a user, groups, or others.

setfaclentry_type Options

The ACL entry_type translates to the POSIX ACL representations of owner, group, and other.
Permissions must be a combination of the characters r (read), w (write), and x (execute). Specify the ACL entry_type as described below, separating multiple entry types with commas.
u:user_name
Sets the access ACLs for a user. Specify the user name, or the UID.
g:group_name
Sets the access ACLs for a group. Specify the group name, or the GID.
m:permission
Sets the effective rights mask. The mask is the combination of all access permissions of the owning group, and all user and group entries.
o:permissions
Sets the access ACLs for users other than the ones in the group for the file.
For example, to remove all permissions from the user antony:
# setfacl -x u:antony /mnt/gluster/data/test-file

7.6.4. Samba and ACLs

POSIX ACLs are enabled by default when using Samba to access a Red Hat Storage volume. Samba is compiled with the --with-acl-support option, so no special flags are required when accessing or mounting a Samba share.