Fedora Linux

mask r--
other ---

Notice that permissions that are not effective due to the mask value are shown in (the name inserted into the qualifier column is the file's owner and group owner).

It can be convenient to create an alias for viewing the tabular output:

$ alias showacl=' getfacl --tabular'

Don't name this alias getfacl, or you won't be able to copy ACLs between files; tabular output cannot be used as input to setfacl.

8.3.2. How Does It Work?

ACLs are stored in a compressed format in a file's extended attributes, just like SELinux context labels. They can be viewed with the command getfattr using the name system.posix_acl_access :

$ getfattr -n system.posix_acl_access yearend.ods
# file: yearend.ods
system.posix_acl_access=0sAgAAAAEABgD/////AgAEAPYBAAACAAQA9wEAAAIABg
D4AQAAAgAGAPoBAAAEAAYA/////xAABgD/////IAAAAP////8=

Obviously, the output of getfacl is much more useful!

Like SELinux labels, ACLs work only on filesystems that support extended attributes, and therefore cannot be used on filesystems such as VFAT and ISO9660.

On an ext2 or ext3 filesystem, all of the extended attributes must fit into one block , as defined at the time that the filesystem was created. To determine the block size of a filesystem, use dumpe2fs :

# dumpe2fs /dev/mapper/main- home | grep 'Block size'
dumpe2fs 1.38 (30-Jun-2005)
Block size: 4096

In this case, the block size is 4,096 bytes (4 KB); the SELinux context, ACL, and any other extended attributes must fit within that 4 KB limit.

When an ACL is changed, a new block is allocated, the new ACL is written to that block, and then the old block is freed. If no blocks are available on the filesystem (or if the user doesn't have access to any more blocks, which may be the case if you have enabled per-user storage quotas), then the ACL cannot be changed.

Modification of an ACL may only be performed by the owner of the file and the superuser ( root ).

8.3.3. What About...

8.3.3.1. ...adjusting ACLs graphically?

Unfortunately, Fedora Core does not include any tools that permits ACLs to be viewed or adjusted graphically.

8.3.3.2. ...saving and restoring the ACLs of a file subtree?

The -R option to getfacl produces a recursive listing of all files in the named directory. setfacl has a --restore option that will use such a recursive listing to set the ACLs of a group of files. This can be used to save and restore ACLsuseful if a number of files are being transported between systems, or backed up and restored from tape or optical disk.

For example, this command creates a file named acl.txt that contains all of the ACLs for all files and subdirectories in the current directory:

$ getfacl -R . > acl.txt

The entire directory can be copied to a CD or DVD, backed up to tape or a USB flash drive, or saved in a tarball and sent to another system. To restore the ACLs at a later date:

# setfacl --restore acl.txt

If the setfacl command is run as root , the ownerships and group ownerships will also be reset to their original values.

8.3.3.3. ...a version of tar that supports ACLs?

Fedora Core provides the star package, which is an advanced replacement for tar . star can back up and restore ACLs along with files when the exustar archive format is used and the -acl option is specified. For example, to back up the /home directory with ACL information:

# star cvzf /tmp/home- backup.star.gz -acl artype=exustar /home
a /home/ directory
a /home/john/ directory
a /home/john/.bash_logout 24 bytes, 1 tape blocks
a /home/john/.bash_profile 191 bytes, 1 tape blocks
a /home/john/.bashrc 124 bytes, 1 tape blocks
a /home/john/.gtkrc 120 bytes, 1 tape blocks
...(Lines snipped)...

To restore from this archive:

# star xvzf /tmp/home-