I have files that have a plus sign next to the permissions -rwxrwx---+
on a Linux samba server. I found the setfacl command to adjust the acl settings, I would like to remove the ACL completely, instead of having to adjust acl settings. How can I do this, so that users can access the files that they need, and the permissions would show -rwxrwx---
, in Linux?
2 Answers
You should also have found this setfacl
option:
-b, --remove-all remove all extended ACL entries
So in order to remove ACLs just run setfacl -b -R
on the directory, and chmod g=rwx
afterwards. (Fixing group permissions might be needed, because currently your changes actually went to changing the ACL 'mask' instead.)
Note that Samba directly exposes POSIX permissions and ACLs to SMB clients (translating them to SMB/NTFS ACLs), so the same could be done from Windows by manually removing all except the 3 "Unix" access entries.
-
2If you have defaults set, I suggest to run a
setfacl -b -R -d
too, aftersetfacl -b -R
, to be sure to have deleted any ACL Commented Mar 16, 2021 at 11:33 -
I wish this worked for me. I have a .zfs folder with acls that prevent writing acls, even by the owner (root). I can't get rid of it. Commented Jan 16, 2023 at 23:38
-
.zfs is a virtual folder that exists at the root of every ZFS filesystem, I don't think you can get rid of it. Commented Jan 17, 2023 at 4:59
I know it's an old question but I had the same problem and the accepted answer did not solve it. That's because is not enough to remove the ACL permissions for user user/group but also
- Default permission (mask)
- Even if selinux is already disabled you have to remove it explicityly from where it was applied on the filesystem.
So the complete solution for me was:
#sudo setfacl -Rbk <parent_dir>
Here -R recursively, -b remove all permissions for user/groups -k remove default acl (mask). By issuing this command it will remove the plus (+) sign seen on the ls output, but it will not remove the dot (.) sign from the ls output.#setfattr -x security.selinux <file>
This removes the selinux context from and it will remove the dot (.) sign from the ls output. This command is not recursively so to make it work on entire directory and its descendants you can use the find command like this:#sudo find <parent_dir> -exec setfattr -x security.selinux {} \;