Monthly Archives: June 2014

ACL: Need particular permissions for a user not in owner/groupe of a file?

Have you ever needed to grant some users more permissions on some files, but the user doesn’t belong to the owner group?  First, you feel tempted to increase “Others” permission or may be add your user to the owner group: not really what you want? not so secure? Try ACLs :).

ACLs allow you to grant permissions you need to users not belonging to the file’s owner and group without altering Others permissions.

To use ACLs on some files/directories, the partition containg these files should be mounted with acl enabled.

Let’s say, I need to give “admin” user read/write permissions on the file /redologs/mydb/u01/control01.ctl.

as ACLs are not enabled on /redologs, look at my fstab:

cat /etc/fstab | grep redologs

/dev/vgdata/lvredo                /redologs                               ext4        defaults                   1    1


First, we need to enable ACL on  /redo_logs by remounting it with acl option. Here we do it on runtime:

mount -o remount,acl    /dev/mapper/vgdate-lvredo      /redologs

Let’s check current permissions before altering the file permissions:

cd /redologs/mydb/u01/

getfacl control01.ctl

#file: control01.ctl

#owner: oracle

#group: oinstall





Now, let’s grant our user read/write permission on control01.ctl.

setfacl -m -u:admin:rw   control01.ctl

#file: control01.ctl

#owner: oracle

#group: oinstall






If you do a ls -l to the file, you will notice the + symbol:

ls -l control01.ctl
-rw-rw----+ oracle oinstall 3198537 Apr 10 14:25 control01.ctl

Connect with admin user and test 🙂

Now, here a brief how-to play with ACLs:

– use getfacl filename to diplay current acl on the file.
– To update or set new ACL on a file, use setfacl as following:

setfacl -m rules filename

where rules are:

u:uid/usernme:permissions(rwx) for a user
g:gid/groupname:permissions(rwx) for a group
o:permissions(rwx) fro other

– To remove all permissions, use -x option:

setfacl -x filename

If you need to remove specific permission, use -x and specify the rule:

setfacl -x rules filename

Well it seems quick :), first time I used ACLs, I as working with Gentoo distribution and I had to recompile the whole kernel with ACL support to be able to use it on my filesystems and restart the server. Not so tempting to your client, no? xD xD