Linux getfacl and setfacl Commands

Posted on | Edited on | In

Today I learn a new method to operate on permission of files and directories, usually I use chmod and chown.

One thing you need to be clear is if for example /etc is owned by root, and /etc/xxx is owned by demo (non-root) user, demo cannot remove /etc/xxx because of permission deny, but demo can create soft link from /etc/xxx and do all other operations inside /etc/xxx.

What if demo want to remove /etc/xxx without changing permissiond of /etc by chmod or chown and without sudo? setfacl is a good choice.

Note that docker will not allow commit the change of any permission of / directory into image.

Each file and directory in a Linux filesystem is created with Access Control Lists (ACLs). The permissions can be set using the setfacl utility. In order to know the access permissions of a file or directory we use getfacl.

For example:

1
2
3
4
5
6
7
8
9
# getfacl /etc

getfacl: Removing leading '/' from absolute path names
# file: etc/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

then we add demo full permission to /etc

1
2
## run as root
setfacl -m u:demo:rwx /etc

check again:

1
2
3
4
5
6
7
8
9
10
11
# getfacl /etc

getfacl: Removing leading '/' from absolute path names
# file: etc
# owner: root
# group: root
user::rwx
user:demo:rwx
group::r-x
mask::rwx
other::r-x

I have this question: Difference between chmod vs ACL

Under Linux, ls -l puts a + at the end of the permissions characters to indicate that ACL are present. If ACL are presenting then the basic permissions do not tell the full story: ACL override POSIX permissions:

1
2
3
# ls -l /etc

drwxrwxr-x+ 89 root root 8192 Sep 25 16:24
0%