The
getfacl and setfacl commands are
used to manage ACLs. Following are a few examples to help you get
started. For details on these commands, and on other commands that
support ACLs, see z/OS UNIX System Services Command Reference.
- Permit user Joe and group Admins to the file named /etc/inetd.conf with
read and write authority.
setfacl -m user:joe:rw-,group:admins:rw- /etc/inetd.conf
The -m option
modifies ACL entries, or adds them if they do not exist.
- Display the ACL that was created in Step 1.
getfacl /etc/inetd.conf
#file: /etc/inetd.conf
#owner: BPXROOT
#group: SYS1
user::rw-
group::r--
other::r--
user:JOE:rw-
group:ADMINS:rw-
- Perform the same operation as in Step 1, but at the same time, set the base permission
bits to prevent access by anyone other than the file owner.
setfacl -s user::rw-,group::---,other::---,user
user:joe:rw-,group:admins:rw- /etc/inetd.conf
The -s option
replaces the contents of an ACL with the entries specified on the
command line. It requires that the base permissions be specified.
The base permissions are specified similarly to extended ACL entries,
except that there is no user or group name qualifier.
- Delete the ACL that was created in Step 3.
setfacl -D a /etc/inetd.conf
The -D
a option specifies that the access ACL is to be deleted. The
permission bits remain as specified in Step 3. When a file is deleted, its ACL is automatically
deleted; there is no additional extra administrative effort required.
- Take the ACL from FileA in the current directory, and apply it
to FileB, also in the current directory.
getfacl FileA | setfacl -S - FileB
The
shell pipes the output of getfacl to the input of setfacl.
The -S option of setfacl says to replace the
contents of the file's ACL with ACL entries specified within a file,
and the "-" is a special case file name designating stdin. Thus,
you can maintain a list of ACL entries within a file, and use that
file as input to a setfacl command. You might use this
ability to implement a "named ACL" for a given project, such as in
Step 6.
- The file /u/joeadmn/Admins contains
a list of ACL entries for users and groups who need to support some
administrative work. The file contains ACL entries, one per line,
in the format that setfacl expects and which getfacl displays.
These people must be granted access to all of the directories within
the file system subtree starting and including /admin/work.
setfacl -S /u/joeadmn/Admins $(find /admin/work -type d)
This
example uses shell command substitution to use the output of the find command
as input to the setfacl command. The /u/joeadmn/Admins file
might, for example, contain: user::rwx
group::---
other::---
u:user1:rwx
u:user2:rwx
g:group1:rwx
- Give Lucy read and write access to every file within Fred's home
directory for which Ricky has read and write access.
setfacl -m user:lucy:rw- $(find ~fred -acl_entry user:ricky:+rw)
You
can use the find command to search for various ACL
criteria. In this example, it is used to find files containing ACL
entries for Ricky, in which Ricky has at least read and write access.
Tip: You can use an access ACL on the parent directory to
grant search access only to those users and groups who should have
file access. The access ACL of the parent directory can have been
automatically created as the result of a directory default ACL on
its parent. Make sure that the 'other' and perhaps the 'group' search
permission bit is off for the parent directory.
Guideline: When creating ACLs, consider the following guidelines:
- To minimize the impact to performance, keep ACLs as small as possible,
and permit groups to files instead of individual users. The pathlength
of the access check will increase with the size of an ACL, but will
be smaller than the associated checking would be for a RACF® profile with the same number of entries
in its access list.
- Do not disable ACLs after you have used ACLs for a while and have
created many entries. Only consider disabling ACLs if you have not
used them very long. If you have been using ACLs to grant, rather
than deny, access to particular users and groups, then disabling ACLs
will likely result in a loss of file access authority rather than
a gain.