Linux ACL tutorial

In addition to the traditional permissions system, Linux has support for access control lists (ACL) which extends that system with more flexible features to make the whole permissions system more powerful and easier to use.

This tutorial describes Linux ACL and presents how to show and set ACL permissions using the commands getfacl and setfacl.

What is Linux ACL and how it works

The traditional Linux permissions system defines Read/Write/Execute (abbreviated as rwx) permissions for the owner of the file, the group associated with the file and all other system users. The same applies to directories.

This system has some limitations in the sense that a file or directory cannot define permissions for a specific set of users or groups other than the owner or group associated with them. ACL was developed to solve this limitation: permissions may be defined on additional users and groups.

An ACL consists of a list of entries. Each entry specifies Read/Write/Execute permissions for a user or group. Other entry types also exist (discussed later). For example when a user needs access to a file (or a directory), a new entry is created by the file owner specifying the user name and the required permissions (the same applies to groups).

ACL entries

Because the ACL system is a superset of the traditional Linux permissions system, the list will also include entries that correspond to the old fields (owner, group, other). Changing permissions using the command chmod or the ACL command setfacl (described later) has the same effect.

There are two types of ACL: access ACL and default ACL.

An access ACL is a list of entries that govern access to a file or directory. For example entries to grant access to a user or a group.

A default ACL may be set on directories only. It defines a list of entries that are used to be inherited by newly created files and directories within that directory and are not used to control access to the directory itself. For example if all newly created files within a directory need to grant access to a user, the directory may have a default ACL entry to specify permissions for that user. A directory may have both of ACL type enties set.

Default ACL entries

An access ACL entry should have one of the following forms:

Entry typeDescription
user::permissionsCorresponds to the file owner permissions
group::permissionsCorresponds to the file group permissions
other::permissionsCorresponds to permissions for all other users and groups that do not match any ACL entry
user:user_name:permissionsSets permissions for a user. The user ID may also be used
group:group_name:permissionsSets permissions for a group. The group ID may also be used
mask::permissionsSets the maximum access rights that can be granted by entries for type: group::permissions, user:user_name:permissions, group:group_name:permissions

The default ACL entries have the same form but preceded by ‘default:’. For example: default:user:user_name:permissions.

The permissions field represents rwx permissions. For example: r-x, –x, —.

The entry mask::permissions requires more explanation. The mask entry is generally not set manually as it is calculated automatically. It enforces the maximum permissions that entries of type group::permissions, user:user_name:permissions and group:group_name:permissions may have. Which means, if a file has an ACL entry mask::r–, even if it has an entry group:my_group:rwx, the group my_group is only granted read permissions as the entry mask takes precedence.

The Shell commands getfacl and setfacl are used to show and set ACL entries respectively.

The ls -l command shows the ‘+’ sign when a file or directory has ACL entries (other than standard ones).

ls -l my_file
-rw-rw-r--+ 1 root root 0 Mar 28 05:16 my_file

Showing ACL entries with getfacl

The getfacl command shows the list of ACL entries like in the following example:

getfacl my_file
# file: my_file
# owner: root
# group: root
user::rw-
user:userA:r--
group::r--
group:groupX:rw-
mask::rw-
other::r--
  • The line user::rw- shows that the file owner has read/write permissions.
  • The line user:userA:r– shows that the user userA has read permission only.
  • The line group::r– shows that the file group has read permission only.
  • The line group:groupX:rw- shows that the group groupX has read/write permissions.
  • The line mask::rw- shows that the maximum permissions the entries of type group::permissions, user:user_name:permissions and group:group_name:permissions may have are read/write.
  • The line other::r– shows that all other users and groups that do not match one of the ACL entries have read permission only.

The command getfacl also shows the default ACL entries. The following example shows that newly created files and directories within the directory my_directory will inherit the default ACL entries.

getfacl my_directory
# file: my_directory
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:n:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

How to add and remove ACL entries with setfacl

The command setfacl is used to set or remove ACL entries. It is called with the following arguments:

setfacl options acl_entry  file_name

The most used options are:

  • -m: used to add or replace an access entry
  • -dm: used to add or replace a default entry (for directories only)
  • -x: used to remove an entry
  • -b: used to remove all ACL entries

The following is a list of examples that present to how to set or remove different entry types:

Add permissions for the user my_user:

setfacl -m "u:my_user:rw-" /path/to/file

Add permissions for the group my_group:

setfacl -m "g:my_group:r-x" /path/to/file

Add a default entry to grant access to the user my_user on all newly created files within a directory:

setfacl -dm "user:my_user:r--" /path/to/directory

To remove a specific entry

setfacl -x "entry" /path/to/file

To remove all entries

setfacl -b /path/to/file

ACL filesystem support

The XFS filesystem has built-in support for ACL and no special mount options are needed.
For other filesystems (like EXT3, EXT4, …) they have to be mounted with the acl option. For most Linux distributions this is not necessary as the acl mount option is set by default and does not need to be specified when mounting the file system.

The default mount options for the extended filesystems (like EXT3, EXT4, …) may be shown with the command tune2fs:

tune2fs -l /path/to/device

If the acl option is not set, a filesystem may be mounted with the option set like the following:

mount -o acl /path/to/device /path/to/mountpoint

If the filesystem is already mounted, the acl option may be set with the following command:

mount -o remount,acl /path/to/mountpoint

NFS ACL support

The NFS protocol supports exporting ACL permissions from the NFS server to the NFS client. By default the ACL permissions are exported without special configuration.

To disable ACL on NFS shares from the server side, the no_acl option is used in the export file: /etc/exports. To disable ACL on an NFS share when mounting it on the client side, the mount option no_acl option is used with the mount command line or in the /etc/fstab file.

References

The MAN page for ACL: http://man7.org/linux/man-pages/man5/acl.5.html