Working with access ACLs

The getfacl and setfacl commands are used to manage ACLs. Following are a few examples to help you get started. For details on these commands, and on other commands that support ACLs, see z/OS UNIX System Services Command Reference.

Permit user Joe and group Admins to the file named /etc/inetd.conf with read and write authority.
```
setfacl -m user:joe:rw-,group:admins:rw- /etc/inetd.conf
```
The -m option modifies ACL entries, or adds them if they do not exist.

Display the ACL that was created in Step 1.

getfacl /etc/inetd.conf
#file:  /etc/inetd.conf     
#owner: BPXROOT        
#group: SYS1              
user::rw-              
group::r--             
other::r--             
user:JOE:rw-           
group:ADMINS:rw-

Perform the same operation as in Step 1, but at the same time, set the base permission bits to prevent access by anyone other than the file owner.
```
setfacl -s user::rw-,group::---,other::---,user 
    user:joe:rw-,group:admins:rw- /etc/inetd.conf
```
The -s option replaces the contents of an ACL with the entries specified on the command line. It requires that the base permissions be specified. The base permissions are specified similarly to extended ACL entries, except that there is no user or group name qualifier.
Delete the ACL that was created in Step 3.
```
setfacl -D a  /etc/inetd.conf
```
The -D a option specifies that the access ACL is to be deleted. The permission bits remain as specified in Step 3. When a file is deleted, its ACL is automatically deleted; there is no additional extra administrative effort required.
Take the ACL from FileA in the current directory, and apply it to FileB, also in the current directory.
```
getfacl FileA | setfacl -S - FileB
```
The shell pipes the output of getfacl to the input of setfacl. The -S option of setfacl says to replace the contents of the file's ACL with ACL entries specified within a file, and the "-" is a special case file name designating stdin. Thus, you can maintain a list of ACL entries within a file, and use that file as input to a setfacl command. You might use this ability to implement a "named ACL" for a given project, such as in Step 6.
The file /u/joeadmn/Admins contains a list of ACL entries for users and groups who need to support some administrative work. The file contains ACL entries, one per line, in the format that setfacl expects and which getfacl displays. These people must be granted access to all of the directories within the file system subtree starting and including /admin/work.
```
setfacl -S /u/joeadmn/Admins $(find /admin/work -type d) 
```
This example uses shell command substitution to use the output of the find command as input to the setfacl command. The /u/joeadmn/Admins file might, for example, contain:
```
user::rwx 
group::--- 
other::--- 
u:user1:rwx 
u:user2:rwx 
g:group1:rwx
```
Give Lucy read and write access to every file within Fred's home directory for which Ricky has read and write access.
```
setfacl -m user:lucy:rw- $(find ~fred -acl_entry user:ricky:+rw)
```
You can use the find command to search for various ACL criteria. In this example, it is used to find files containing ACL entries for Ricky, in which Ricky has at least read and write access.

Tip: You can use an access ACL on the parent directory to grant search access only to those users and groups who should have file access. The access ACL of the parent directory can have been automatically created as the result of a directory default ACL on its parent. Make sure that the 'other' and perhaps the 'group' search permission bit is off for the parent directory.

Guideline: When creating ACLs, consider the following guidelines:

To minimize the impact to performance, keep ACLs as small as possible, and permit groups to files instead of individual users. The pathlength of the access check will increase with the size of an ACL, but will be smaller than the associated checking would be for a RACF® profile with the same number of entries in its access list.
Do not disable ACLs after you have used ACLs for a while and have created many entries. Only consider disabling ACLs if you have not used them very long. If you have been using ACLs to grant, rather than deny, access to particular users and groups, then disabling ACLs will likely result in a loss of file access authority rather than a gain.