Rocky 8.x setfacl and getfacl based permissions
Home > Rocky Linux or CentOS > Rocky Linux 8.x > System Administration > setfacl and getfacl based permissions
Normally in Linux permissions are configured via User owner, Group owner and Others via read, write and execute permissions bits set for each type of access. However, if we have complex permission requirements then it is not possible to achieve the same via this method. In all modern filesystems there are options to assign extended permissions via setfacl / getfacl. This way we can assign permissions per user / per group (all user / group including those who are not owner of the file/folder).
For example there was a requirement to give access to user2 to following folder of user1:
/home/user1/public_html
Here, public_html was not part of UserDir and hence itself was owned by apache:apache and not by user1.
Further user2 was required to have read-only access only to:
/home/user1/public_html /home/user1/public_html/locations/*
direct files under public_html or any file/sub-folder under locations. But other sub-folders undes public_html such as:
/home/user1/public_html/secret
should not be accessible by user2.
Also user2 should have only read-only access and not write/modify.
To achieve above using setfacl / getfacl used following as root user:
cd /home/user1/public_html setfacl -m u:user2:r * setfacl -m u:user2:rx . cd locations setfacl -m u:user2:rx -R .
After this logged in as user2 and validated that:
- user2 cannot access /home/user1/public_html/secret
- user2 can access sub-folders under /home/user1/public_html/locations
- user2 can read all files under /home/user1/public_html
- user2 is not able to modify any file of user1 in above locations
- Normal unix permissions for user1 and apache are not affected by above extended permissions. Their access continues same as before without any change.
Home > Rocky Linux or CentOS > Rocky Linux 8.x > System Administration > setfacl and getfacl based permissions