= Red Hat ACL or Extended Permissions =

**Summary**: How to work with ACLs on Red Hat. \\
**Date**: Around 2014 \\
**Refactor**: 29 March 2025: Checked links and formatting. \\
{{tag>redhat linux}}

The filesystems ext2/3/4 also support more complex file permissions called ACLs. I will not cover that deeply, just enough to get you going.

= Enabling ACLs =
If you want to use ACLs you should mount the filesystem with an extra option. The installer enables all ext4 filesystems that are created during the installation with this option, so newly created filesystems miss this option. The option is called {{{acl}}}.

You can use the tune2fs command to set the default mount options:
<code>
tune2fs -o acl,user_xattr /dev/vgsrv/home
</code>

Or remove it from the default options:
<code>
tune2fs -o ^acl /dev/vgsrv/home
</code>

= See ACL =
You can recognize there are ACLs on a file with {{{ls}}}. The last character of the permissions command will be shown as a {{{+}}}.

You can use getfacl to see the ACL:
<code>
[root@localhost ~]# ls -l /permissions/
total 4
-rw-rw-r--+ 1 root root 0 Apr 12 12:28 file1
[root@localhost ~]# getfacl /permissions/file1
getfacl: Removing leading '/' from absolute path names
# file: permissions/file1
# owner: root
# group: root
user::rw-
group::r--
group:sjoerdhooft:rw-
mask::rw-
other::r--
</code>

> Note that user:: group:: and other:: refer to the original user,group and other permissions of the file.

= Set ACL =
You can set an ACL using {{{setfacl}}},

This is how I've added the private group of user sjoerdhooft to file1 as displayed above:
<code>
setfacl -m g:sjoerdhooft:rw /permissions/file1
</code>

This is an example to add an ACL for a user:
<code>
setfacl -m -u:sjoerdhooft:rw /permissions/file1
</code>

This is an example to remove the ACL permissions:
<code>
setfacl -x -u:sjoerdhooft /permissions/file1
</code>

This is an example to change(remove) the normal other permissions:
<code>
setfacl -m -o::- /permissions/file1
</code>

== Set Default ACLs ==
You can also set a default ACL so all newly created files in a directory receive the permission you set (add {{{d:}}} for default to the command):
<code>
setfacl -m d:u:sjoerdhooft:rw /permissions
</code>

And if you also want all existing files in the directory to receive the permissions, including files in subdirectories set the recursive option as well:
<code>
setfacl -m d:g:sjoerdhooft:rw -R /permissions
</code>

= Resources =
If you want more information see:
<code>
[root@localhost ~]# man -k acl
acl                  (5)  - Access Control Lists
chacl                (1)  - change the access control list of a file or directory
getfacl              (1)  - get file access control lists
.k5login [k5login]   (5)  - Kerberos V5 acl file for host access
setfacl              (1)  - set file access control lists
</code>