About Linux Access Control List ( ACL )

Posted at December 23, 2016 at 12:17 pm by Jithin

Standard Linux file permissions are satisfactory for most situations, but they have limitations. Permissions restricting access to a file are limited to the file owner, membership of a single group, or everyone else. It may not be appropriate for the process (a running program) to be a member of the file’s owning group, and even less desirable to grant permissions to everyone. ACLs allow fine-grained permissions to be allocated to a file. Named users or named groups, as well as users and groups identified by a UID or GUID, can be granted permissions, in addition to the standard file owner, group owner, and other file permissions. The same permission flags apply: r-read, w-write, x-execute. The file owner can set ACLs on individual files or directories. New files and subdirectories can automatically inherit ACL settings from the parent directory default ACLs, if they are set. Similar to normal file access rules, the parent directory hierarchy will need at least the other execute permission set to enable named users and named groups to have access.

There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.

 

File system mount option

The file system needs to be mounted with ACL support enabled. XFS file systems have built-in ACL support. The new version of ext4 file system have the acl option enabled by default, but the earlier version of ext4 file system may need the ACL option included with the mount request, or set in the superblock.

 

Viewing and interpreting ACL permissions

The ls  -l command only outputs minimal ACL setting details.

$  ls -l test

-rw-rw-r– + 1 someone someone 0 Dec 15 23:53 test

The “+” at the end of the 10-character permission string indicates that there are ACL settings associated with this file. Interpret the user, group and other “rwx” flags as

Users: Shows the user ACL settings, which are the same as the standard user file settings; rwx.

Group: Shows the current ACL mask settings, not the group-owner settings; rw.

Others: Shows the other ACL settings, which are the same as the standard other file settings; no access.

 

Set ACL

The ACL can be modified using the setfacl command.

To add permissions for a user (user is either the user name or ID):

$  setfacl -m “u:user:permissions” <file/dir>

To add permissions for a group (group is either the group name or ID):

$  setfacl -m “g:group:permissions” <file/dir>

 

View file ACLs

To show permissions, use

$  getfacl filename

 

To set all permissions for user harry to file named “test”, use the following command.

$  setfacl -m “u:harry:rwx” test

 

Check permissions

$ getfacl test

# file: test

# owner: someone

# group: someone

user:harry:rwx

group::rw-

other::r–

To change permissions for user harry use the below given command.

# setfacl -m “u:harry:r-x” test

Check permissions

$ getfacl test

# file: test

# owner: someone

# group: someone

user:harry:r-x

group::rw-

other::r–

 

If you need any further assistance please contact our support department.

 

 

0.00 avg. rating (0% score) - 0 votes

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply