Sunday, May 5, 2013

Linux file system Access Control beyond umask

Sometimes we don't want to change our umask setting but want to give a certain user the read-write permissions to some files or directories. We can do that by using Linux's ACL (Access Control List) commands setfacl and getfacl. Manpages of these commands give the full usage and explanation. The following are some examples.

For instance, user1 has a directory named shared_dir. user1 wants the files generated in shared_dir can be read-written by both himself and user2. He can run these commands:
   $ setfacl -d -m u:user1:rw shared_dir
   $ setfacl -d -m u:user2:rw shared_dir

The -d option make the operations apply to the Default ACL. The Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created.

If user1 wants to allow a certain group group1 to have read-write permissions on the files in shared_dir, he can use this command instead:
   $ setfacl -d -m g:group1:rw shared_dir

After running setfacl to change the ACL, you can use getfacl to check the result.

No comments:

Get This <