Is non-root user able to set/modify/remove ACL for a file or a directoryt using setfacl command?
Environment
- Red Hat Enterprise Linux 6
Issue
- Is non-root user able to set/modify/remove ACL for a file or a directory using setfacl command?
Resolution
Yes, non-root user can set/modify/remove ACL for a file or a directory which is owned by itself.
Example:
$ whoami
user1
$ ll file1
-rw-rw-r--. 1 user1 user1 0 Sep 9 16:18 file1
$ setfacl -m user:user1:rwx file1
$ getfacl file1
# file: file1
# owner: user1
# group: user1
user::rw-
user:user1:rwx
group::rw-
mask::rwx
other::r--
Please note, only root user who has "CAP_FOWNER" capability can set/modify/remove ACL for a file or a directory which is not owned by root.
Example:
$ whoami
user1
$ ll file2
-rw-rw-r--. 1 root user1 0 Sep 9 16:19 file2
$ setfacl -m user:user1:rwx file2
setfacl: file2: Operation not permitted
# whoami
root
# ll file3
-rw-r--r--. 1 user1 user1 0 Sep 9 16:22 file3
# setfacl -m user:root:rwx file3
# getfacl file3
# file: file3
# owner: user1
# group: user1
user::rw-
user:root:rwx
group::r--
mask::rwx
other::r--
Root Cause
SETFACL(1)
PERMISSIONS
The file owner and processes capable of CAP_FOWNER are granted
the right to modify ACLs of a file. This is analogous to the
permissions required for accessing the file mode. (On current
Linux systems, root is the only user with the CAP_FOWNER capa-
bility.)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments