When you using linux system with single user, the standard linux permission may be enough for use in working daily. But if the linux system is used by multiple user, you must have a right permission for securely access share directories or files. For that, you can use ACL (Access Control List) in your system so that the some different user of group can be have same permissions on the directories/files.
getfacl command used for check acl status in certaining directories/files and setfacl command that use for setting/modify acl in directories/files.
For example when implement ACL, if you have one share directories with some group and some user you can use acl for secure directories.
First create two new group with name as IT and STAFF.
# groupadd IT
# groupadd STAFF
Check on /etc/group for make sure new group success to create.
As the shown image above, group IT with GroupID 1001 and STAFF with GID 1002.
Create some users (it1,it2) with IT as supplementary group and users (staff1,staff2) with STAFF as suppementary group.
# useradd -G 1001 it1
# useradd -G 1001 it2
# useradd -G 1002 staff1
# useradd -G 1002 staff2
Check on /etc/group , as the shown image bellow it1 and it2 users has including in IT group, while staff1 and staff2 users has including in STAFF group.
Change password for users with the password as redhat
# passwd it1
# passwd it2
# passwd staff1
# passwd staff2
Create new directory namely WorkingDir
# mkdir /WorkingDir
then check acl status on WorkingDir directory
As shown image above, by default the WorkingDir directory is owned by root user and group. And then in those directory we will to configure acl so that the IT and STAFF group can be have Read/Write permissions on those directory.
Check again acl status on WorkingDir
As the shown image above the IT and STAFF group have a Read/Write access to /WorkingDir directory. But that only applied for existing files/directory in those /WorkingDir. You must configure default acl so that those group can be have default permission access to WorkingDir directory.
# setfacl -m d:g:IT:rwX /WorkingDir
# setfacl -m d:g:STAFF:rwX /WorkingDir
Exit from root then login to users (it1,it2,staff1,staff2) then test access and create new files from /WorkingDir directory.
As shown image bellow, users that are include on IT and STAFF groups has been permission access to /WorkingDir directory.
The last example based on configuration above, if you want add exception on the staff2 user only have read permissions you can configure with adding by user in acl.
# setfacl -m u:staff2:r– /WorkingDir
Setting for default permission too :
# setfacl -m d:u:staff2:r– /WorkingDir
Now check the configure in staff2 user
As the shown image above, the staff2 user not have permission for access /WorkingDir directory.