Manage Permissions with Access Control Lists
Access Control Lists (ACLs) are a very powerful tool for managing permissions within a file system. ACLs allow for arbitrary lists of specific users and groups to be given read, write, and/or execute permissions on any file or directory that you own. ACLs provide the common UNIX read, write, and execute permissions for individual users or groups of users, and you may have as many ACL entries as necessary to achieve the precise set of permissions you need on a given file or directory.
Note
While the ML Cloud supports ACL, QB has a slightly different set of instructions, which sometimes do not update properly.
Important note: Access Control Lists work only in an additive fashion and cannot be used to remove permissions granted through the regular UNIX permissions commands. For example, if you want all the members of a group but one to have access to a file, you cannot start by granting access to the group and then removing access for one user; instead, you must remove access for the whole group, then add the appropriate permissions for each individual.
The two important command-line tools for managing ACLs are setfacl
and getfacl
. These commands are used to create or change ACLs, and to read the contents of an ACL, respectively. The man pages provide detailed documentation on both these commands.
man setfacl
man getfacl
Viewing ACLs
Viewing ACLs for a specific file or directory is quite simple, and can be accomplished using the getfacl
command:
getfacl myfile
# file: /mnt/lustre/work/group/user/myfile
# owner: root
# group: root
user::rw-
user:testuser:r--
group::---
mask::r--
other::---
Note that the command's output is in a specialized format that can also be used to set ACLs.
Note
You must have read access to the file or directory in question in order to read its ACLs.
Setting ACLs from the Command-Line
The setfacl
command is the simplest way to manage ACLs. The example below modifies (with the -m
) option an ACL to add read access for the username "testuser".
setfacl -m u:testuser:r file
-w
and -x
flags can also be added to give read, write, and execute permissions:
setfacl -m u:testuser:rwx file
The -x
option can be used to remove permissions from the ACL. The following command removes the permissions granted in the previous example:
setfacl -x u:testuser:rwx file
Default ACLs
Default ACLs can be set on a directory, and once set, are assigned automatically to all new files created within that directory. Default ACLs are useful when you have a specific and/or complex set of permissions you wish to apply uniformly to all new data in a project directory. Setting default ACLs follows the same format as regular ACLs, with a d:`` prefix in the ACL specification. For example, to assign a default ACL granting user
kristina` full permissions to all NEW data in mydirectory, use the following command:
setfacl -m d:u:kristina:rwX mydirectory
The capital X
in the ACL specification means "add execute permission for directories only" and is convenient for situations where you don't know whether the ACL will be applied to a directory or a file. Default ACLs can be set for both users and groups, just as regular ACLs can.
Note
Note that default ACLs do not alter the permissions for any currently existing files; they only apply to files created after the default ACL is set.
Created: June 21, 2024