4

Is it possible to create an ACL to deny access to a specific user (say jdoe) to a specific file?

I'm not interested in the trivial solution of an ACL that gives access to the file to all users except jdoe. This solution has the disadvantage that any user created successively in the system won't have access to the file.

Creating a group of all users except jdoe and granting group access to the file bears the same disadvantage.

The command setfacl -x u:jdoe /path/file won't work as it removes only created ACLs.

dr_
  • 29,602

2 Answers2

7

Sure, to demonstrate, as root...

touch /tmp/test
setfacl -m u:jdoe:--- /tmp/test
getfacl /tmp/test
su - jdoe
cat /tmp/test
exit
rm /tmp/test

It could be done to every file in a directory by default as well:

mkdir /var/data/not-for-jdoe
setfacl -m u:jdoe:--- /var/data/not-for-jdoe
setfacl -d -m u:jdoe:--- /var/data/not-for-jdoe

Above, the -m switch is the mask and the -d switch makes it the default mask for all new filesystem objects in the directory. The --- can have other permission values, e.g.:

  • rwx
  • r--
  • rw-
  • r-x
  • 7
  • 4
  • 6
  • 5

The group and other masks work the same way: g:groupname:--- or in combination: u:username:---,g:groupname:---,o::---. Not specifying a username or group name applies the mask to current user/group ownership.

Christopher
  • 15,911
-4

setfacl is a command from the deprecated because withdrawn in 1997 POSIX ACL draft proposal that was never standardized.

setfacl cannot do this.

If you have a modern OS that supports NFSv4/NTFS ACLs, you can do this. See e.g. http://schillix.sourceforge.net/man/man1/chmod.1.html

Check the examples starting at page 19.

This is for Solaris, but AIX and OSX also support NFSv4 ACLs.

schily
  • 19,173