Thursday, July 1, 2021

Linux file/directory permissions and extended permissions/ACL (getfacl/setfacl)

 [admino@mwg www]$ getfacl SystemFiles/

# file: SystemFiles/

# owner: www-data

# group: www-data

user::rwx

group::rwx

other::r-x


#Give access to admino user:

#-m is modify ACL (add or change)

#-x is delete ACL (setfacl -x u:sales:r test/)

#-d is to put a 'default' user and/or group to new generated files (can be given only to directory).

# u: / g: / o: / m: / d: are user, group, others, effective mask, default (the same as -d)

#

#read (r or 4) – read file; list directory content

#write (w or 2) – modify file; if x is also set - modify dir contents (rm, cp, mv files and subdirectories), otherwise - no effect

#execute (x or 1) – execute file, enter directory

#The setuid (s instead of u:x) bit simply indicates that when running the executable, it will set its permissions to that of the user who created it (owner), instead of setting it to the user who launched it. Similarly, there is a setgid (s instead of g:x) bit which does the same for the gid. (-rwsr-xr-x. 1 root root 27856 Apr  1  2020 /usr/bin/passwd).

#When a directory has the sticky (t instead of o:x) bit set, its files can be deleted or renamed only by the file owner, directory owner and the root user (drwxrwxrwt.   6 root root  4096 Jul  1 09:59 tmp). 

#ls shows + sign after permissions to indicate extended ACL (like: drwxr-xr-x+) s


###Remove all existing extended ACL:

sudo setfacl -b /var/www/SystemFiles

###Get list of extended and standard ACL:

getfacl /var/www/SystemFiles

getfacl: Removing leading '/' from absolute path names

# file: var/www/SystemFiles

# owner: www-data

# group: www-data

user::rwx

group::rwx

other::r-x

###give admino ability to upload files:

sudo setfacl -m u:admino:rwx /var/www/SystemFiles

###

getfacl: Removing leading '/' from absolute path names

# file: var/www/SystemFiles

# owner: www-data

# group: www-data

user::rwx

user:admino:rwx

group::rwx

mask::rwx

###to read non-default ACL:

getfacl SystemFiles | grep -Ev "(::)|^#|^$"

###set defaults for user and group:

sudo setfacl -m d:u:www-data:rw SystemFiles

sudo setfacl -m d:g:www-data:rw SystemFiles

###check ACL (effective means group::rwx applies mask::rw and we have union - effective:rw):

[admino@mwg www]$ getfacl SystemFiles/u34jf\ o.png

# file: SystemFiles/math.png

# owner: admino

# group: admino

user::rw-

user:www-data:rw-

group::rwx                      #effective:rw-

group:www-data:rw-

mask::rw-

other::r--

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)