Is it possible to create a "negative" ACL?

Question

Is it possible to create an ACL to deny access to a specific user (say jdoe) to a specific file?

I'm not interested in the trivial solution of an ACL that gives access to the file to all users except jdoe. This solution has the disadvantage that any user created successively in the system won't have access to the file.

Creating a group of all users except jdoe and granting group access to the file bears the same disadvantage.

The command setfacl -x u:jdoe /path/file won't work as it removes only created ACLs.

how about seting the group ownership of the file to a group containing only this user and restricting access to group - with chmod 0604? — adonis, May 11 '16 at 15:10
This won't work as the other permission (which is r--) applies, therefore jdoe will have read access to the file. — dr_, May 11 '16 at 15:18
what you say is reasonable, but I just tried it and it works on my system (ubuntu 16.04). — adonis, May 11 '16 at 15:20
Near-duplicate: Precedence of user and group owner in file permissions — Gilles 'SO- stop being evil', May 11 '16 at 21:47
@dr01 No, other permissions do not apply if a more specific permission applies. User permissions are considered first, then group, then other. The first match applies, there is no “or” operation except within the group level. — Gilles 'SO- stop being evil', May 11 '16 at 21:47
You're absolutely right -- I just tested on a CentOS 7 machine and it works. @adonis, I'm going to accept Christopher's answer as the most correct one, but please write your comment as an answer so I can upvote. Thank you. — dr_, May 12 '16 at 07:36

score 7 · Accepted Answer · answered May 11 '16 at 15:52

Sure, to demonstrate, as root...

touch /tmp/test
setfacl -m u:jdoe:--- /tmp/test
getfacl /tmp/test
su - jdoe
cat /tmp/test
exit
rm /tmp/test

It could be done to every file in a directory by default as well:

mkdir /var/data/not-for-jdoe
setfacl -m u:jdoe:--- /var/data/not-for-jdoe
setfacl -d -m u:jdoe:--- /var/data/not-for-jdoe

Above, the -m switch is the mask and the -d switch makes it the default mask for all new filesystem objects in the directory. The --- can have other permission values, e.g.:

rwx
r--
rw-
r-x
7
4
6
5

The group and other masks work the same way: g:groupname:--- or in combination: u:username:---,g:groupname:---,o::---. Not specifying a username or group name applies the mask to current user/group ownership.

schily · Answer 2 · 2016-05-11T14:29:56.813

-4

setfacl is a command from the deprecated because withdrawn in 1997 POSIX ACL draft proposal that was never standardized.

setfacl cannot do this.

If you have a modern OS that supports NFSv4/NTFS ACLs, you can do this. See e.g. http://schillix.sourceforge.net/man/man1/chmod.1.html

Check the examples starting at page 19.

This is for Solaris, but AIX and OSX also support NFSv4 ACLs.

edited May 11 '16 at 14:29

answered May 11 '16 at 14:24

schily

19,173

Well, setfacl certainly can do what the OP wants it to do in Linux – fpmurphy May 11 '16 at 17:27

Is it possible to create a "negative" ACL?

2 Answers2