Chris Tyler - Fedora Linux

# group: chris

user::rw-

user:thomas:r--

user:diane:r--

user:gord:rw- #effective:r--

user:jim:rw- #effective:r--

group::rw- #effective:r--

mask::r--

other::---

$ getfacl --tabular bar

# file: bar

USER chris rw-

user thomas r--

user diane r--

user gord rW-

user jim rW-

GROUP chris rW-

mask r--

other ---

Notice that permissions that are not effective due to the mask value are shown in (the name inserted into the qualifier column is the file's owner and group owner).

It can be convenient to create an alias for viewing the tabular output:

$ alias showacl=' getfacl --tabular'

Don't name this alias getfacl, or you won't be able to copy ACLs between files; tabular output cannot be used as input to setfacl .

ACLs are stored in a compressed format in a file's extended attributes, just like SELinux context labels. They can be viewed with the command getfattr using the name system.posix_acl_access :

$ getfattr -n system.posix_acl_access yearend.ods

# file: yearend.ods

system.posix_acl_access=0sAgAAAAEABgD/////AgAEAPYBAAACAAQA9wEAAAIABg

D4AQAAAgAGAPoBAAAEAAYA/////xAABgD/////IAAAAP////8=

Obviously, the output of getfacl is much more useful!

Like SELinux labels, ACLs work only on filesystems that support extended attributes, and therefore cannot be used on filesystems such as VFAT and ISO9660.

On an ext2 or ext3 filesystem, all of the extended attributes must fit into one block , as defined at the time that the filesystem was created. To determine the block size of a filesystem, use dumpe2fs :

# dumpe2fs /dev/mapper/main-home | grep 'Block size'

dumpe2fs 1.38 (30-Jun-2005)

Block size: 4096

In this case, the block size is 4,096 bytes (4 KB); the SELinux context, ACL, and any other extended attributes must fit within that 4 KB limit.

When an ACL is changed, a new block is allocated, the new ACL is written to that block, and then the old block is freed. If no blocks are available on the filesystem (or if the user doesn't have access to any more blocks, which may be the case if you have enabled per-user storage quotas), then the ACL cannot be changed.

Modification of an ACL may only be performed by the owner of the file and the superuser ( root ).

Unfortunately, Fedora Core does not include any tools that permits ACLs to be viewed or adjusted graphically.

The -R option to getfacl produces a recursive listing of all files in the named directory. setfacl has a --restore option that will use such a recursive listing to set the ACLs of a group of files. This can be used to save and restore ACLsuseful if a number of files are being transported between systems, or backed up and restored from tape or optical disk.

For example, this command creates a file named acl.txt that contains all of the ACLs for all files and subdirectories in the current directory:

$ getfacl -R . > acl.txt

The entire directory can be copied to a CD or DVD, backed up to tape or a USB flash drive, or saved in a tarball and sent to another system. To restore the ACLs at a later date:

# setfacl --restore acl.txt

If the setfacl command is run as root , the ownerships and group ownerships will also be reset to their original values.

Fedora Core provides the star package, which is an advanced replacement for tar . star can back up and restore ACLs along with files when the exustar archive format is used and the -acl option is specified. For example, to back up the /home directory with ACL information:

# star cvzf /tmp/home-backup.star.gz -acl artype=exustar /home

a /home/ directory

a /home/john/ directory

a /home/john/.bash_logout 24 bytes, 1 tape blocks

a /home/john/.bash_profile 191 bytes, 1 tape blocks

a /home/john/.bashrc 124 bytes, 1 tape blocks

a /home/john/.gtkrc 120 bytes, 1 tape blocks

...(Lines snipped)...

To restore from this archive:

# star xvzf /tmp/home-backup.star.gz artype= exustar -acl

star: WARNING: skipping leading '/' on filenames.

Release star 1.5a69 (i386-redhat-linux-gnu)

Archtype exustar

Dumpdate 1146974078.733347 (Sat May 6 23:54:38 2006)

Volno 1

Blocksize 20

x home/ directory

x home/john/ directory

x home/john/.bash_logout 24 bytes, 1 tape blocks

x home/john/.bash_profile 191 bytes, 1 tape blocks

x home/john/.bashrc 124 bytes, 1 tape blocks

x home/john/.gtkrc 120 bytes, 1 tape blocks

...(Lines snipped)...

 The manpages for acl(5) , getfacl , and setfacl

 The manpages for star and spax

Because the root user can override permissions, file permissions alone are not enough to ensure that a file will not be changed. But when a file is made immutable , it cannot be changed by anyone.

To make a file immutable, use the chattr (change attribute) command to add the i attribute to the file:

# chattr +i foo

# date >> foobash: foo: Permission denied

# mv foo baz

mv: cannot move \Qfoo' to \Qbaz': Operation not permitted

# rm foo

rm: cannot remove \Qfoo': Operation not permitted

You can find out if the i attribute has been set by using the lsattr (list-attribute) command:

# lsattr foo

----i-------- foo

The presence of the i in the output indicates that the file foo has been made immutable.

Removing the i attribute causes the file to act normally again:

# chattr -i foo

#

date >>foo