Linux Programming Security

setfacl and getfacl – Set File Access Control List on Linux

setfacl
setfacl

Controlling File permissions in server environments holds the immense importance for system administrators. Everything in Linux is an object and object has an owner. Generally you own the object that you create. In Linux there’s a super-user, which is called root. Root user can access every owner and their files that exist on the system. In this article, we are going to look at the setfacl and get getfacl commands. setfacl command allow you to establish and manage file permissions, likewise getfacl allows you to report on file permissions that reach beyond the traditional read, rewrite and execute permissions on Linux systems. For example, while traditional Linux commands only allow you to associate a single group with a file, setfacl allows you to give specific permissions to other groups as well. You can also give permissions to individuals.

Know More about Linux File permissions here: Linux File Permissions

setfacl

Say you have a file named myfile and you want one other user to have full read, write and execute permissions to it.

ls - List Files
Listing Files

It starts out looking like this: setfacl -m u:username:rwx file-name

#setfacl -m u:jdoe:rwx myfile
setfacl
setfacl

In this setfacl command, -m means “modify”, the “u:jode” indicates that we are givingĀ  access to an user named jdoe, :rwx indicates the permissions being granted and myfile is the actual file we are using in this example. Now notice that the only differences in the file listing are that the group permissions are now rwx(read write and execute) and that the permissions string is now followed by + sign(-rw-rwxr--+). This is meant to indicate that there are permissions beyond the read, write and execute assignments for the owner, group and others.

getfacl

To see more information on what that + sign indicates, use the get getfacl command:

#getfactl myfile
getfacl
getfacl

Notice that this listing includes a separate line for jdoe’s permissions.

The setfacl command also allows you to assign and remove permissions from group as shown in these commands.

To give read and execute permissions to group

setfacl -m g:fish:r-x myfile

To remove permissions from group

setfacl -x g:fish: myfile

About the author

Ajay Verma

A Computer Science Graduate, who works extensively on open source projects. His Areas Of interest are: Network Security, Linux Administration, FOSS, Python, and C programming.

Add Comment

Click here to post a comment