Working With ACLs

General Information

File servers that run Microsoft Windows will typically have the shared resources locked to some users/groups while other users/groups can have full rights on the same share. asics france UGG Bottes Pas Cher How can this be if standard permissions are generic for one user, one group, and everybody? This is accomplished with the use of Access Control Lists (ACLs) and the UNIX environment can also apply these variable permissions to files and directories. Ugg 2017 adidas en ligne asics france Not only can they support the feature, Windows clients that connect to your Samba shares will respect them as well.


  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. UFS filesystem


By default, ACL support is disabled on all partitions or mount points. adidas chaussures bottes timberland We can verify this by viewing the mounting table.

 # mount /dev/ad1s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/ad1s1e on /tmp (ufs, local, soft-updates) /dev/ad1s1f on /usr (ufs, local, soft-updates) /dev/ad1s1d on /var (ufs, local, soft-updates) 

As you can see, all mount points do not have ACL support enabled as it does not appear in the list. nike air presto So, let’s enable ACLs on the /usr partition. nike tn new balance pas cher In order to enable ACL support on any partition, it has to be unmounted first. adidas nmd chaussures ugg femme Unmounting system partitions can only be done in single-user mode. Buy FF14 items Boot into single-user mode or if you are already in multi-user mode issue a shutdown.

 # shutdown now 

You will then be prompted for the root password for single-user mode. chaussure adidas nike air max 90 femme 2017 Once there, unmount /usr, add ACL support, mount /usr, and reboot into multi-user mode.

Note: Replace /dev/ad1s1f and /usr with the relevance partition and mountpoint for your system.
 # umount /usr # tunefs -a enable /dev/ad1s1f tunefs: ACLs set # mount /dev/ad1s1f /usr 

You can verify the ACL support by viewing your mountpoints.

 # mount /dev/ad1s1a on / (ufs, local) devfs on /dev (devfs, local) /dev/ad1s1e on /tmp (ufs, local, soft-updates) /dev/ad1s1f on /usr (ufs, local, soft-updates, acls) /dev/ad1s1d on /var (ufs, local, soft-updates) 

As you can see, the /usr mountpoint now has ACL support enabled. Reboot into multi-user mode now.

 # shutdown now 


Modify ACL

Now that ACL support is enabled on the /usr mountpoint, let’s discuss using the feature on files and directories. asics gel nimbus 18 soldes nike huarache nike soldes running We will be using two commands: setfacl(1) to set ACL information and getfacl(1) to display the ACL information. new balance femme nike air max 90 For this guide we will create a file for testing purposes.

 # echo "My file" > file.txt 

We can view the current ACL information on the file.txt by using getfacl.

 getfacl file.txt #file:file.txt #owner:1001 #group:0 user::rw- group::r-- other::r-- 

As you can see, there’s nothing special about the permissions yet. adidas football ugg australia Just the default user, group, and other permissions. adidas superstar 2 soldes nike femme solde Now, let’s restrict everyone from being able to read the file, but allowing the owner and bob to.

 # setfacl -m u:bob:r,o:: file.txt 

Now, let’s see how that affected the regular permission listing.

 # ls -l file.txt -rw-r-----+ 1 jon wheel - 8 Feb 21 00:16 file.txt 

If you notice, at the end of the permissions listing, you see a plus sign (+). This indicates an ACL is set for that file/directory. adidas yeezy Let’s view it.

 getfacl file.txt #file:file.txt #owner:1001 #group:0 user::rw- user:bob:r-- group::r-- mask::r-- other::--- 

The breakdown is as follows: you can see the default user’s permissions of read/write, our bob permissions of only read, default group’s permissions of read, and everyone gets no privileges. timberland femme nike x fragment You can test this by attempting to access the file.

Now, what if you wanted everyone to read and write to the file, but you don’t want bob to access it? Piece of cake. bottes timberland nike flyknit lunar Just set new ACLs.

 # setfacl -m u:bob:,o::rw file.txt 

If bob tries to access the file, he will get a permission denied message. louboutin femme Everyone else may access it just fine.

Delete ACL

Now that you have ACLs set on files, over time you may need to change those permissions. ugg boots bailey bow asics france Perhaps remove a user from the list altogether.

 # setfacl -n -x u:bob: file.txt 

The permissions for bob are now removed. Now, if you wanted to remove the ACL from the file completely, use:

 # setfacl -bn file.txt 

All ACL permissions are removed and you can verify this with a standard listing.

 ls -l file.txt -rw-r--rw- 1 jon wheel - 8 Feb 21 09:06 file.txt 

Copying ACLs

You might be thinking that ACLs are pretty neat, but how can a single one be applied to several files or a directory recursively? It’s pretty simple. asics france Just copy the ACL from one file to the next after setting up the original file.

 # setfacl -m u::rwx,g::rw,o::,u:bob:r file.txt # getfacl file.txt #file:file.txt #owner:1001 #group:0 user::rwx user:test:r-- group::rw- mask::rw- other::--- # touch file2.txt # getfacl file.txt | setfacl -b -n -M - file2.txt 

The ACL applied on file.txt is now applied to file2.txt as well.

Speak Your Mind