4

Is it possible to create an ACL to deny access to a specific user (say jdoe) to a specific file?

I'm not interested in the trivial solution of an ACL that gives access to the file to all users except jdoe. This solution has the disadvantage that any user created successively in the system won't have access to the file.

Creating a group of all users except jdoe and granting group access to the file bears the same disadvantage.

The command setfacl -x u:jdoe /path/file won't work as it removes only created ACLs.

Improve this question
6
  • 1
    how about seting the group ownership of the file to a group containing only this user and restricting access to group - with chmod 0604? Commented May 11, 2016 at 15:10
  • This won't work as the other permission (which is r--) applies, therefore jdoe will have read access to the file. Commented May 11, 2016 at 15:18
  • what you say is reasonable, but I just tried it and it works on my system (ubuntu 16.04). Commented May 11, 2016 at 15:20
  • Near-duplicate: Precedence of user and group owner in file permissions Commented May 11, 2016 at 21:47
  • 1
    @dr01 No, other permissions do not apply if a more specific permission applies. User permissions are considered first, then group, then other. The first match applies, there is no “or” operation except within the group level. Commented May 11, 2016 at 21:47

2 Answers 2

Reset to default
7

Sure, to demonstrate, as root...

touch /tmp/test setfacl -m u:jdoe:--- /tmp/test getfacl /tmp/test su - jdoe cat /tmp/test exit rm /tmp/test

It could be done to every file in a directory by default as well:

mkdir /var/data/not-for-jdoe setfacl -m u:jdoe:--- /var/data/not-for-jdoe setfacl -d -m u:jdoe:--- /var/data/not-for-jdoe

Above, the -m switch is the mask and the -d switch makes it the default mask for all new filesystem objects in the directory. The --- can have other permission values, e.g.:

  • rwx
  • r--
  • rw-
  • r-x
  • 7
  • 4
  • 6
  • 5

The group and other masks work the same way: g:groupname:--- or in combination: u:username:---,g:groupname:---,o::---. Not specifying a username or group name applies the mask to current user/group ownership.

Improve this answer
-4

setfacl is a command from the deprecated because withdrawn in 1997 POSIX ACL draft proposal that was never standardized.

setfacl cannot do this.

If you have a modern OS that supports NFSv4/NTFS ACLs, you can do this. See e.g. http://schillix.sourceforge.net/man/man1/chmod.1.html

Check the examples starting at page 19.

This is for Solaris, but AIX and OSX also support NFSv4 ACLs.

Improve this answer
1
  • Well, setfacl certainly can do what the OP wants it to do in Linux Commented May 11, 2016 at 17:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.