Linux ACL tutorial
In addition to the traditional permissions system, Linux has support for access control lists (ACL) which extends that system with more flexible features to make the whole permissions system more powerful and easier to use.
This tutorial describes Linux ACL and presents how to show and set ACL permissions using the commands getfacl and setfacl.
What is Linux ACL and how it works
The traditional Linux permissions system defines Read/Write/Execute (abbreviated as rwx) permissions for the owner of the file, the group associated with the file and all other system users. The same applies to directories.
This system has some limitations in the sense that a file or directory cannot define permissions for a specific set of users or groups other than the owner or group associated with them. ACL was developed to solve this limitation: permissions may be defined on additional users and groups.
An ACL consists of a list of entries. Each entry specifies Read/Write/Execute permissions for a user or group. Other entry types also exist (discussed later). For example when a user needs access to a file (or a directory), a new entry is created by the file owner specifying the user name and the required permissions (the same applies to groups).
Because the ACL system is a superset of the traditional Linux permissions system, the list will also include entries that correspond to the old fields (owner, group, other). Changing permissions using the command chmod or the ACL command setfacl (described later) has the same effect.
There are two types of ACL: access ACL and default ACL.
An access ACL is a list of entries that govern access to a file or directory. For example entries to grant access to a user or a group.
A default ACL may be set on directories only. It defines a list of entries that are used to be inherited by newly created files and directories within that directory and are not used to control access to the directory itself. For example if all newly created files within a directory need to grant access to a user, the directory may have a default ACL entry to specify permissions for that user. A directory may have both of ACL type enties set.
An access ACL entry should have one of the following forms:
|user::permissions||Corresponds to the file owner permissions|
|group::permissions||Corresponds to the file group permissions|
|other::permissions||Corresponds to permissions for all other users and groups that do not match any ACL entry|
|user:user_name:permissions||Sets permissions for a user. The user ID may also be used|
|group:group_name:permissions||Sets permissions for a group. The group ID may also be used|
|mask::permissions||Sets the maximum access rights that can be granted by entries for type: group::permissions, user:user_name:permissions, group:group_name:permissions|
The default ACL entries have the same form but preceded by 'default:'. For example: default:user:user_name:permissions.
The permissions field represents rwx permissions. For example: r-x, --x, ---.
The entry mask::permissions requires more explanation. The mask entry is generally not set manually as it is calculated automatically. It enforces the maximum permissions that entries of type group::permissions, user:user_name:permissions and group:group_name:permissions may have. Which means, if a file has an ACL entry mask::r--, even if it has an entry group:my_group:rwx, the group my_group is only granted read permissions as the entry mask takes precedence.
The Shell commands getfacl and setfacl are used to show and set ACL entries respectively.
The ls -l command shows the '+' sign when a file or directory has ACL entries (other than standard ones).
ls -l my_file -rw-rw-r--+ 1 root root 0 Mar 28 05:16 my_file
Showing ACL entries with getfacl
The getfacl command shows the list of ACL entries like in the following example:
getfacl my_file # file: my_file # owner: root # group: root user::rw- user:userA:r-- group::r-- group:groupX:rw- mask::rw- other::r--
- The line user::rw- shows that the file owner has read/write permissions.
- The line user:userA:r-- shows that the user userA has read permission only.
- The line group::r-- shows that the file group has read permission only.
- The line group:groupX:rw- shows that the group groupX has read/write permissions.
- The line mask::rw- shows that the maximum permissions the entries of type group::permissions, user:user_name:permissions and group:group_name:permissions may have are read/write.
- The line other::r-- shows that all other users and groups that do not match one of the ACL entries have read permission only.
The command getfacl also shows the default ACL entries. The following example shows that newly created files and directories within the directory my_directory will inherit the default ACL entries.
getfacl my_directory # file: my_directory # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:n:rwx default:group::r-x default:mask::rwx default:other::r-x
How to add and remove ACL entries with setfacl
The command setfacl is used to set or remove ACL entries. It is called with the following arguments:
setfacl options acl_entry file_name
The most used options are:
- -m: used to add or replace an access entry
- -dm: used to add or replace a default entry (for directories only)
- -x: used to remove an entry
- -b: used to remove all ACL entries
The following is a list of examples that present to how to set or remove different entry types:
Add permissions for the user my_user:
setfacl -m "u:my_user:rw-" /path/to/file
Add permissions for the group my_group:
setfacl -m "g:my_group:r-x" /path/to/file
Add a default entry to grant access to the user my_user on all newly created files within a directory:
setfacl -dm "user:my_user:r--" /path/to/directory
To remove a specific entry
setfacl -x "entry" /path/to/file
To remove all entries
setfacl -b /path/to/file
ACL filesystem support
The XFS filesystem has built-in support for ACL and no special mount options are needed.
For other filesystems (like EXT3, EXT4, …) they have to be mounted with the acl option. For most Linux distributions this is not necessary as the acl mount option is set by default and does not need to be specified when mounting the file system.
The default mount options for the extended filesystems (like EXT3, EXT4, …) may be shown with the command tune2fs:
tune2fs -l /path/to/device
If the acl option is not set, a filesystem may be mounted with the option set like the following:
mount -o acl /path/to/device /path/to/mountpoint
If the filesystem is already mounted, the acl option may be set with the following command:
mount -o remount,acl /path/to/mountpoint
NFS ACL support
The NFS protocol supports exporting ACL permissions from the NFS server to the NFS client. By default the ACL permissions are exported without special configuration.
To disable ACL on NFS shares from the server side, the no_acl option is used in the export file: /etc/exports. To disable ACL on an NFS share when mounting it on the client side, the mount option no_acl option is used with the mount command line or in the /etc/fstab file.
The MAN page for ACL: http://man7.org/linux/man-pages/man5/acl.5.html