Note: This is an RHCSA 7 exam objective.
Presentation
When basic file permissions are not enough, you can use ACL.
ACL stands for Access Control Lists.
Prerequisites
However, before doing this, you have to check if the partition permits ACLs.
To check that ACLs work, type:
# mount /dev/mapper/vg_root-lv_root on / type ext4 (rw)
In this case, you have to edit the /etc/fstab file, add “,acl” after the defaults or rw option and, then, remount the partition:
# mount -o remount /
ACL Configuration
To allow read/write access to the user bob on the file called f (-m for modify, u for user, rw- for read/write access), type:
# setfacl -m u:bob:rw- f
To request access control list status on the same file f, type:
# getfacl f # file: f # owner: root # group: root user::rw- user:bob:rw- group::r-- mask::rw- other::r--
To remove permissions allowed to the user bob (-x for remove, u for user), type:
# setfacl -x u:bob f
To remove all the ACLs on a file called f (-b for remove-all), type:
# setfacl -b f
To allow read/execute permissions to the group called team on a directory dir and all the files inside (-R for recursive, -m for modify, g for group, r-x for read/execute access), type:
# setfacl -R -m g:team:r-x dir
To get the result, type:
# getfacl dir # file: dir # owner: root # group: root user::rwx group::r-x group:team:r-x mask::r-x other::r-x
Addition Resources
You can watch Ralph Nyberg‘s video about Configuring ACLs (18min/2015).
Also, the setfacl man page is a good source of information.
While they aren’t directly considered ACLs, do you think that the RHCSA exam might include questions regarding lsattr and chattr? I haven’t run into much need for them, but Michael Jang’s book covers them and makes it seem like they might be included.
Also, if you are using an xfs filesystem, it seems like you don’t need to edit fstab at all for ACLs. I haven’t tested this on RHEL but in Centos 7, I could manipulate ACLs without the flag in /etc/fstab.
Just to confirm, I placed the acl after defaults as I have done with ext4 systems before and then ran:
> mount | grep /dev/sda1 # it returned this:
> /dev/sda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
It seems like XFS doesn’t mount with the ACL option at all despite me mounting it in fstab and telling it to do that. Any thoughts?
Concerning the lsattr et chattr commands, you can spend several minutes to learn how to use them and if a question occurs during an exam, display the related man pages.
Concerning the acl option, I have seen the same situation with the ext4 file system: it seems that this option is a default. If acls work without specifying them, I don’t think you need to waste your time to set it.
Hi CertDepot,
would like to ask if including ,acl after defaults in /etc/fstab is a must, I have set an acl to a directory (ext4 type btw) and the configuration persisted even after reboot
Concerning ext4, I think setting the acl option in the /etc/fstab is not necessary because ext4 is acl-aware by default.
Thank you Certdepot!
Hi CertDepot,
Is it okay also to add the ‘d’ right after you set an acl?please see sample below. Thanks
#setfacl -R -m d:g:team:r-x dir
Yes, it’s okay. This way you define a default ACL.
Thanks.
ACL is enabled by default on EXT4 if the filesystem is created on an RHEL 7 installation, if I am not mistaken.
This tutorial was initially written for RHEL 6.
In the case of RHEL 7, you don’t need to check, it is by default. I agree.
On RHEL7 the default file system is XFS. For XFS acl option is also default so you do not have to put it in /etc/fstab.
Yes, I know. This tutorial was initially written for RHEL 6.
I saw your comment 🙂 So it is the most thankless thing in the blogs, that you must update it 🙂
I’m perfectly aware of the defects of my website but I lack time and sometimes WordPress skills to fix them.
It’s sad but it’s true!
Maybe you should warn users against interpreting output from getfacl, especially the line “#effective:”.
Can you explain a little bit?
For example when you have mask on file:
mask: :r–
and you will try to use
setfacl -m u:user01:rwx,
your effective acl for user01 will be r only which will be indicated by:
#effective:r–
For me, it is an advanced topic than I’m not sure to master myself (because I never had to use it, RHCSA exam included!) 😉
If I can find some detailed information about it, I will add it to the tutorial.
Thanks.
Hi guys.
One question: I set an ACL on a directory with the -R option so all the files contained receive the same setting. Then if I create a new file inside this dir, it has no ACL. How does inherit work with folders, talking about ACLs?
Did you apply the default ACL? See below.
# setfacl -R -m g:mygroup:rwX /folder
# setfacl -R -m d:g:mygroup:rwx /folder
Thank you Lisenet. I missed -d option