To facilitate management of ACLs, you can define a default ACL
in a directory; it will then be automatically inherited by an object.
- The file default ACL is copied to a newly created file as its
access ACL. It is also copied to a newly created subdirectory as
its file default ACL.
- The directory default ACL is copied to a newly created subdirectory
as both its access ACL and directory default ACL. You can modify
or delete inherited ACLs later.
Default ACLs have the same format as access ACLs.
Examples: Following
are examples of working with default ACLS:
- Define a directory default ACL for the directory named /u/ProjectX.
setfacl -m default:group:admins:r-x,default:group:dirgrp:rwx /u/ProjectX
The entries contain an extra qualifier to designate the directory
default ACL. The groups named admins and dirgrp will automatically get access to any new
subdirectories created within /u/ProjectX.
Creating a default ACL will not grant access to directories that already
exist.
- Display the directory default ACL created in Step 1.
getfacl -d /u/ProjectX
#file: /u/ProjectX
#owner: TCPAUTO
#group: SYS1
default:group:ADMINS:r-x
default:group:DIRGRP:rwx
The -d option says to display
only the extended ACL entries in the directory default ACL.
- Define a file default ACL for the directory named /u/ProjectX, and all of its subdirectories.
setfacl -m fdefault:group:admins:r--, \
fdefault:group:dirgrp:rw- $(find /u/ProjectX -type d)
The
extra entry qualifier in this case designates the file default ACL.
The groups named admins and dirgrp will automatically get access to any new files created within
the /u/ProjectX subtree. Creating a default
ACL will not grant access to files that already exist.
- Display the contents of all of the ACL types for the directory
named /u/ProjectX.
getfacl -adf /u/ProjectX
#file: /u/ProjectX
#owner: TCPAUTO
#group: SYS1
user::rwx
group::r-x
other::r-x
user:JOE:--x
fdefault:group:ADMINS:r--
fdefault:group:DIRGRP:rwx
default:group:ADMINS:r-x
default:group:DIRGRP:rwx
This example requests the access
ACL (the a option), the directory default ACL (the d option),
and the file default ACL (the f option). The base permission
bits are displayed when the a option is specified (or defaulted).
Guideline: Analyze your file system space
utilization before implementing default ACLs in your file system.
If you use both file and directory default ACLs in every directory
in the file system, a separate physical ACL is created for every new
file and directory. Using an access ACL for every directory will
probably not cause concerns about space utilization. However, the
same cannot be said of files, especially if the inherited ACLs are
large.
Tip: ACLs are not inherited across mount
points. Suppose that you have a default ACL defined on the directory /dir1/dir2. You decide to create another directory, /dir1/dir2/dir3, and use it as a mount point on
which to mount another file system. However, if you do so, the root
directory of the mounted file system will not inherit the default
ACL which had been established at /dir1/dir2.
If you want the default ACLs of dir2 to apply
to dir3, you must copy them to dir3 after dir3 has been mounted.