ACLs (Access control lists) are a security feature which can expand or restrict permissions on files and directories in a linux file system.
Redhat/CentOS 7 use xfs by default and are automatically configured with ACLs however if you are using 6 or below or a different filesystem format you will need to mount the file system with the acl setting
Mount File System with Access Control Lists
To temporarily remount a file system with ACLs do the following(switch /home with the partition you want to mount with acls):
# mount -o remount -o acl /home
To permanently mount a file system, edit /etc/fstab and change
/dev/sda3 /home ext4 defaults 1,2
/dev/sda3 /home ext4 defaults,acl 1,2
This will make the setting persist through a reboot
Manage Access Control Lists
getfacl will show the acl settings on a file or directory
# getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- other::r--
setfacl will grant or remove additional permissions to a file
-m indicates to modify the file.
# setfacl -m u:admin:rwx test.txt
:u – specifies a user, then its declared as the ‘admin’ user.
:rwx – are the permissions granted to that user.
doing another getfacl will show the permissions have been updated:
# getfacl test.txt # file: test.txt # owner: root # group: root user::rw- user:admin:rwx group::r-- mask::rwx other::r--
To remove permissions do the following:
# setfacl -x u:admin test.txt
-b (--remove-all) - Removes all ACL entries -k - Deletes default ACL entries -m - Modifies a ACL of a file -n - Omits the recalcuation of the mask -R - Recursively applies the change -x - Removes a specific ACL change
Configure a Directory for ACLs:
To give a user access to a directory:
setfacl -m u:admin:x /home/dir
To give a user recursive access to a directory
setfacl -R -m u:admin:rx /home/dir