Managing file access with ACLs
What are ACLs?
Access Control Lists (ACLs or FACLs) are used to manage granular permissions on individual files or directories (folder). Primarily they are used to give one or more persons access to a file or directory that is not dependent upon the owner or group attached to the file/folder. For instance, if one user owns a file and wants to allow another user to also have write access to it without giving the group write access.
While FASRC manages a large number of groups for access to the many storage shares we host, we generally do not micromanage access at the individual level such as ‘this person should have access but not this person’ situations. In some instances with multiple users that might be best handled with an additional group, but that is added support overhead. For access issues involving these individual access scenarios, an ACL may be the best option when you need to grant someone else more granular permissions on files you own.
Usage
From a login or other node on the cluster, type man getfacl and man setfacl
| Please Note: Setting ACLs on Tier1 Isilon shares is not supported currently. |
Example 1: getfacl
This example shows how to see what FACLs are set.
[harvard_lab]# ls -l
total 12 (the '+' sign indicates that ACLs have been applied)
drwxrwsr-x+ 28 jharvard harvard_lab 4096 Feb 19 20:06 Everyone
drwxrwsr-x+ 7 jharvard harvard_lab 4096 May 9 20:03 Lab
drwxrwsr-x+ 74 jharvard harvard_lab 4096 Oct 10 2023 Users
[harvard_lab]# getfacl .
# file: . (shows the FACL settings, in this case a group, harvard_lab_admins, has special permissions)
# owner: root
# group: harvard_lab
# flags: -s-
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:harvard_lab_admins:rwx
default:mask::rwx
default:other::r-x
Example 2: setfacl
This example shows how to allow another user read/write/execute access to a file you own.
[jharvard]$ ls -l test
-rw-r--r--. 1 jharvard harvard_lab 30 May 17 16:41 test
[jharvard]$ setfacl -m u:testuser:rwx test
[jharvard]$ ls -l test
-rw-rwxr--+ 1 jharvard harvard_lab 30 May 17 16:41 test
[jharvard]$ getfacl test
# file: test
# owner: jharvard
# group: harvard_lab
user::rw-
user:testuser:rwx
group::r--
mask::rwx
other::r--
Additional documentation about the use of ACLS can be found at:
- An introduction to Linux Access Control Lists (ACLs) (RedHat)
- How to create and use file access control lists in Linux (RedHat)
- Access Control Lists (TACC)