Access Control List (ACL)

Introduction

Access control lists are used to give a specific user or group read, write, or execution permission on a specific file. The command setfacl is used to set the access control list, while getfacl is used to find the permissions of a file's access control list.

If you are using emacs as your text editor, you will first need to change your .emacs file to prevent it from creating backups. Otherwise, when the backup file is created, the access control list for that file will be destroyed. To prevent emacs from creating backup files, insert the following line into your .emacs file:

(setq make-backup-files nil)

Using setfacl

To give a single user read-only permission to the file, you can use the following syntax:

setfacl -r -m user:username:r-- myfile

where username is the username of the user to whom you are granting permission, and myfile is the name of the file.

The r-- entry gives the read-only permission. r is used for read permission, w is used for write permission, and x for executable permission. A - character is used as a placeholder. Any combination of the three can be used to provide various permissions on the file.

To give an entire group permission to the file, type in the following:

setfacl -r -m group:groupname:r-- myfile

which would give the group groupname read-only permission to myfile.

To remove a group or user's permissions to the file, you can use the -d option. For example, to remove the previous example's permissions, you would use the following:

setfacl -d group:groupname myfile

Using getfacl

To view the permissions on a file, you may use the getfacl command. For example, to view the permissions on filename.txt, you would type in the following:

getfacl filename.txt

Further information

For further information on access control lists, please see the man pages by typing the following at the UNIX prompt:

man setfacl

man getfacl