About Linux Access Control List ( ACL )
Standard Linux file permissions are satisfactory for most situations, but they have limitations. Permissions restricting access to a file are limited to the file owner, membership of a single group, or everyone else. It may not be appropriate for the process (a running program) to be a member of the file’s owning group, and even less desirable to grant permissions to everyone. ACLs allow fine-grained permissions to be allocated to a file. Named users or named groups, as well as users and groups identified by a UID or GUID, can be granted permissions, in addition to the standard file owner, group owner, and other file permissions. The same permission flags apply: r-read, w-write, x-execute. The file owner can set ACLs on individual files or directories. New files and subdirectories can automatically inherit ACL settings from the parent directory default ACLs, if they are set. Similar to normal file access rules, the parent directory hierarchy will need at least the other execute permission set to enable named users and named groups to have access.
There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.
File system mount option
The file system needs to be mounted with ACL support enabled. XFS file systems have built-in ACL support. The new version of ext4 file system have the acl option enabled by default, but the earlier version of ext4 file system may need the ACL option included with the mount request, or set in the superblock.
Viewing and interpreting ACL permissions
The ls -l command only outputs minimal ACL setting details.
$ ls -l test
-rw-rw-r– + 1 someone someone 0 Dec 15 23:53 test
The “+” at the end of the 10-character permission string indicates that there are ACL settings associated with this file. Interpret the user, group and other “rwx” flags as
Users: Shows the user ACL settings, which are the same as the standard user file settings; rwx.
Group: Shows the current ACL mask settings, not the group-owner settings; rw.
Others: Shows the other ACL settings, which are the same as the standard other file settings; no access.
Set ACL
The ACL can be modified using the setfacl command.
To add permissions for a user (user is either the user name or ID):
$ setfacl -m “u:user:permissions” <file/dir>
To add permissions for a group (group is either the group name or ID):
$ setfacl -m “g:group:permissions” <file/dir>
View file ACLs
To show permissions, use
$ getfacl filename
To set all permissions for user harry to file named “test”, use the following command.
$ setfacl -m “u:harry:rwx” test
Check permissions
$ getfacl test
# file: test
# owner: someone
# group: someone
user:harry:rwx
group::rw-
other::r–
To change permissions for user harry use the below given command.
# setfacl -m “u:harry:r-x” test
Check permissions
$ getfacl test
# file: test
# owner: someone
# group: someone
user:harry:r-x
group::rw-
other::r–
If you need any further assistance please contact our support department.
