On file systems the process's user identifier (effective UID) is the principal means of control.
Why ACL required?
Usually UNIX read, write, execute permission are more than sufficient but in many cases you need to setup a complex permission for accessing files. ACL makes managing permissions quite easy under FreeBSD (and Linux).
Prepare filesystem to use ACL
To use ACLs under FreeBSD, remount filesystem with acls option:
However latest version of FreeBSD may not allow you to mount partition due to security settings. Open your /etc/fstab file and modify entry as follows:
# mount -o acls -u /usr
Now setup acls option, at the end modification should look as follows:
Save and close the file. Reboot FreeBSD:
/dev/ad0s1f /usr ufs rw,acls 2 2
Verify that /usr filessystem is mounted with ACLs option:
# sync;sync # reboot
/dev/ad0s1f on /usr (ufs, local, soft-updates, acls)
Task: Set ACL using setfacl
The setfacl utility or command sets or modifies discretionary access control information on the specified file.
Each ACL is made of 3 tags. It contains colon-separated fields as follows:
=> tag field is use to setup user, group or other permission. It can consists of one of
- u - specifying the access granted to the owner of the file or a specified user
- g - specifying the access granted to the file owning group or a specified group
- o - specifying the access granted to any process that does not match any user or group
=> access-permissions field contains up to one of each of the following:
- r : set read permission
- w : set write permission
- x : set execute permissions
Each of these may be excluded or placed with a '-' character to indicate no access.
In short use following syntax for each group of users to setup ACL:
To setup user/owner ACL
To setup group ACL
To setup others ACL
Task: get or display ACL information
Use getfacl command to display ACL information.
$ getfacl file.txt
Task: set new ACL for user/owner
Sets read only permissions for the file called file.txt for owner:
Now see new permission
setfacl -m u::r file.txt
Now Sets read, write, and execute permissions for the file called file.txt for owner:
Task: Copy file.txt ACL to file2.txt
setfacl -m u::rwx file.txt getfacl file.txt
Now copy file.txt ACL to file2.txt:
touch file2.txt getfacl file2.txt getfacl file.txt
There are lots of options available and I will cover them later on.
getfacl file.txt | setfacl -b -n -M - file2.txt getfacl file2.txt