Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
15.  Securing Files (Tasks) Using Access Control Lists (ACLs) How to Set an ACL on a File Examples--Setting an ACL on a File  Previous   Contents   Next 
   
 

How to Copy an ACL

Copy a file's ACL to another file by redirecting the getfacl output.

$ getfacl filename1 | setfacl -f - filename2

filename1

Specifies the file from which to copy the ACL.

filename2

Specifies the file on which to set the copied ACL.

Example--Copying an ACL

In the following example, the ACL on ch2.doc is copied to ch3.doc.

$ getfacl ch2.doc | setfacl -f - ch3.doc

How to Check If a File Has an ACL

Check if a file has an ACL by using the ls command.

$ ls -l filename

filename specifies the file or directory.

In the output, a plus sign (+) to the right of the mode field indicates that the file has an ACL.


Note - Unless you have added ACL entries for additional users or groups on a file, a file is considered to be a "trivial" ACL and the plus sign (+) will not display.


Example--Checking If a File Has an ACL

The following example shows that the ch1.doc file has an ACL, because the listing has a plus sign (+) to the right of the mode field.

$ ls -l ch1.doc
-rwxr-----+  1 nathan   sysadmin      167 Nov 11 11:13 ch1.doc

How to Modify ACL Entries on a File

  1. Modify ACL entries on a file by using the setfacl command.

    $ setfacl -m acl-entry-list filename ... 
    -m

    Modifies the existing ACL entry.

    acl-entry-list

    Specifies the list of one or more ACL entries to modify on the file or directory. You can also modify default ACL entries on a directory. Table 15-8 and Table 15-9 show the valid ACL entries.

    filename ...

    Specifies one or more files or directories, separated by a space.

  2. Verify that the ACL entries were modified on the file by using the getfacl command.

    $ getfacl filename

Examples--Modifying ACL Entries on a File

In the following example, the permissions for the user george are modified to read and write.

$ setfacl -m user:george:6 ch3.doc
$ getfacl ch3.doc
# file: ch3.doc
# owner: nathan
# group: staff
user::rw-				
user::george:rw-				#effective:r--
group::r-	              #effective:r--
mask:r--
other:r-

In the following example, the default permissions for the group staff are modified to read and the default ACL mask permissions are modified to read and write on the book directory.

$ setfacl -m default:group:staff:4,default:mask:6 book

How to Delete ACL Entries From a File

  1. Delete ACL entries from a file by using the setfacl command.

    $ setfacl -d acl-entry-list filename ... 

    -d

    Deletes the specified ACL entries.

    acl-entry-list

    Specifies the list of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 15-8 and Table 15-9 show the valid ACL entries.

    filename ...

    Specifies one or more files or directories, separated by a space.

    Alternately, you can use setfacl -s to delete all the ACL entries on a file and replace them with the new ACL entries that are specified.

  2. To verify that the ACL entries were deleted from the file, by using the getfacl command.

    $ getfacl filename

Example--Deleting ACL Entries on a File

In the following example, the user george is deleted from the ch4.doc file.

$ setfacl -d user:george ch4.doc

How to Display ACL Entries for a File

Display ACL entries for a file by using the getfacl command.

$ getfacl [-a | -d] filename ...

-a

Displays the file name, file owner, file group, and ACL entries for the specified file or directory.

-d

Displays the file name, file owner, file group, and default ACL entries for the specified directory.

filename ...

Specifies one or more files or directories, separated by a space.

If you specify multiple file names on the command line, the ACL entries are displayed with a blank line between each entry.

Examples--Displaying ACL Entries for a File

The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.

$ getfacl ch1.doc

# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:r--         #effective:r--
group::rw-              #effective:rw-
mask:rw-
other:---

The following example shows the default ACL entries for the book directory.

$ getfacl -d book

# file: book
# owner: nathan
# group: sysadmin
user::rwx
user:george:r-x         #effective:r-x
group::rwx              #effective:rwx
mask:rwx
other:---
default:user::rw-
default:user:george:r--
default:group::rw-
default:mask:rw-
default:other:---
 
 
 
  Previous   Contents   Next