Overview
By the end of this article you should be able to answer the following questions:
Announcement
I have released my new course on Udemy, Kubernetes By Example. Sign up now to get free lifetime access!1. Update user+group ownerships using chown (if necessary).
2. Update the normal ugo+rwx permissons using chmod (if necessary).
3. Update suid, sgid, and sticky bit special permissions, if necessary.
4. Apply ACL settings recursively to all existing child files/folders (using the setfacl command)
5. Set default ACL settings on the folder (using setfacl command)
$ setfacl -R -m user:jerry:rwX /tmp/research-team-folder
This mean execute permissions for child folder but not on files.
$ setfacl -m default:user:jerry:rwX /tmp/research-team-folder
$ getfacl /tmp/file1 | setfacl –-set-file=- /tmp/file2
Using ACL on directories
So far we have seen how to give a user/group special permissions for a particular file. However you can also give a user/group special permissions to a folder. This is very common scenario, and for this scenario it is very common to:
- Recursivley apply the same special permissions to everything inside this folder
- Set default permissions on the folder, so that all future new files+folders created inside it automatically inherits the same special permissions.
To achieve this, we need to take the following steps
- First set directory’s standard permissions using the chmod and chown command.
- Apply ACL settings recursively to all existing child files/folders
- Set default ACL settings on the folder
Now let’s take a look at the permissions of the “research-team-folder”:
$ ls -l /tmp | grep "research-team-folder" drwxr-xr-x. 2 nobody research 6 Nov 15 22:32 research-team-folder
At the moment it doesn’t have any special permissons
$ getfacl /tmp/research-team-folder/ getfacl: Removing leading '/' from absolute path names # file: tmp/research-team-folder/ # owner: nobody # group: research user::rwx group::r-x other::r-x
Let’s say we We have a user called “jerry” that isn’t a member of the “research” group but we want to give it access to this folder via special permissions. Now let’s apply the acl permission:
$ setfacl -R -m user:jerry:rwX /tmp/research-team-folder
Here we are saying (R)ecursively (m)odify the “user” permission jerry to “rwX” for the research-team-folder. Now let’s see what the acl permission have become:
Note: the capital “X” indicates to apply “execute” on child folders only and not child files.
$ getfacl /tmp/research-team-folder # file: research-team-folder/ # owner: nobody # group: research user::--x group::rwx user:jerry:rwx mask::rwx other::--x
All the existing folders+files that exist inside the research-team-folder folder all have the same special permissions assigned them. However any new files+folders created inside research-team-folder won’t have any special permissions applied to them. To overcome this we need to set default special permissions.
Now we apply the default permission
$ setfacl -m default:user:jerry:rwx /tmp/research-team-folder
Note: “default acls” are something that you can only apply to folders and not files. In fact the concept of default special permissions on files wouldn’t make any sense anyway.
Now we end up with:
$ getfacl /tmp/research-team-folder getfacl: Removing leading '/' from absolute path names # file: tmp/research-team-folder # owner: nobody # group: research user::rwx user:jerry:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:jerry:rwx default:group::r-x default:mask::rwx default:other::r-x