Skip to content

Manage Permissions with Access Control Lists

Access Control Lists (ACLs) are a very powerful tool for managing permissions within a file system. ACLs allow for arbitrary lists of specific users and groups to be given read, write, and/or execute permissions on any file or directory that you own. ACLs provide the common UNIX read, write, and execute permissions for individual users or groups of users, and you may have as many ACL entries as necessary to achieve the precise set of permissions you need on a given file or directory.

Note

While the ML Cloud supports ACL, QB has a slightly different set of instructions, which sometimes do not update properly.

Important note: Access Control Lists work only in an additive fashion and cannot be used to remove permissions granted through the regular UNIX permissions commands. For example, if you want all the members of a group but one to have access to a file, you cannot start by granting access to the group and then removing access for one user; instead, you must remove access for the whole group, then add the appropriate permissions for each individual.

The two important command-line tools for managing ACLs are setfacl and getfacl. These commands are used to create or change ACLs, and to read the contents of an ACL, respectively. The man pages provide detailed documentation on both these commands.

man setfacl
and

man getfacl

Viewing ACLs

Viewing ACLs for a specific file or directory is quite simple, and can be accomplished using the getfacl command:

getfacl myfile
The output will be in the format shown below. This example shows that the owner (root) has read and write access, while the user "testuser" has read-only access:

# file: /mnt/lustre/work/group/user/myfile
# owner: root
# group: root
user::rw-
user:testuser:r--
group::---
mask::r--
other::---

Note that the command's output is in a specialized format that can also be used to set ACLs.

Note

You must have read access to the file or directory in question in order to read its ACLs.

Setting ACLs from the Command-Line

The setfacl command is the simplest way to manage ACLs. The example below modifies (with the -m) option an ACL to add read access for the username "testuser".

setfacl -m u:testuser:r file
The -w and -x flags can also be added to give read, write, and execute permissions:

setfacl -m u:testuser:rwx file

The -x option can be used to remove permissions from the ACL. The following command removes the permissions granted in the previous example:

setfacl -x u:testuser:rwx file

Default ACLs

Default ACLs can be set on a directory, and once set, are assigned automatically to all new files created within that directory. Default ACLs are useful when you have a specific and/or complex set of permissions you wish to apply uniformly to all new data in a project directory. Setting default ACLs follows the same format as regular ACLs, with a d:`` prefix in the ACL specification. For example, to assign a default ACL granting userkristina` full permissions to all NEW data in mydirectory, use the following command:

setfacl -m d:u:kristina:rwX mydirectory

The capital X in the ACL specification means "add execute permission for directories only" and is convenient for situations where you don't know whether the ACL will be applied to a directory or a file. Default ACLs can be set for both users and groups, just as regular ACLs can.

Note

Note that default ACLs do not alter the permissions for any currently existing files; they only apply to files created after the default ACL is set.


Last update: September 9, 2024
Created: September 9, 2024