Granting Permissions using ACLs

You can use Access Control Lists (ACLs) to give others users permission to access files and directories that you own. There are 2 commands for dealing with ACLs.  The “getfacl” command will display current ACL setting for a file or directory, and the “setfacl” command is used to modify ACLs.  With ACLs you can grant either read-only access, or read-write access on a directory or file to specific users.

By default, one’s home directory is only accessible to them, and the ACL should reflect this. For example, for the user alice, the ACL on their home directory would look like:

[alice@jhpce01 ~]$ pwd
/users/alice
[alice@jhpce01 ~]$ getfacl .
# file: .
# owner: alice
# group: users
user::rwx
group::---
other::---

Note that only alice can access the /users/alice directory. Now, if alice wanted to grant read-only access to their home directory to the user bob, they would use the “setfacl” command:

[alice@jhpce01 ~]$ setfacl -m user:bob:rx .
[alice@jhpce01 ~]$ getfacl .
# file: .
# owner: alice
# group: users
user::rwx
user:bob:r-x
group::---
mask::r-x
other::---

At this point, bob would be able to access alice’s home directory. Now suppose there is a file that alice wants to let bob update. Alice could use ACLs to grant write access to a particular file:

[alice@jhpce01 ~]$ ls -l shared-data.txt
-rw-r--r-- 1 alice users 79691776 Feb  2 07:06 shared-data.txt
[alice@jhpce01 ~]$ getfacl shared-data.txt
# file: shared-data.txt
# owner: alice
# group: users
user::rw-
group::r--
other::r--
[alice@jhpce01 ~]$ setfacl -m user:bob:rw shared-data.txt 
[alice@jhpce01 ~]$ getfacl shared-data.txt
# file: shared-data.txt
# owner: alice
# group: users
user::rw-
user:bob:rw-
group::r--
mask::rwx
other::r--

At this point, bob could access and modify the “shared-data.txt” file.

Now suppose alice wanted to create a directory that bob could write to. Alice could create a directory, and grant bob write access to it:

[alice@jhpce01 ~]$ mkdir shared
[alice@jhpce01 ~]$ setfacl -m user:bob:rwx shared
[alice@jhpce01 ~]$ getfacl shared
# file: shared
# owner: alice
# group: users
user::rwx
user:bob:rwx
group::r-x
mask::rwx
other::r-x

Now the user bob can copy or save files in the “shared” directory.

If you want to remove and ACL, you can use the “-x” option to setfacl.

[alice@jhpce01 ~]$ setfacl -x user:bob shared
[alice@jhpce01 ~]$ getfacl shared
# file: shared
# owner: alice
# group: users
user::rwx
group::r-x
mask::r-x
other::r-x