
ACL – file access control lists, extended permissions

Standard permissions for files on Linux are sufficient when files are used by only one owner and one user group. However, sometimes it is required that access to files is possible with different sets of permissions for many different users and groups. Thanks to fACL lists, you can grant such permissions using the same flags that are used for normal file permissions, i.e. read, write and execute.
Standard permissions for files on Linux are sufficient when files are used by only one owner and one user group. However, sometimes it is required that access to files is possible with different sets of permissions for many different users and groups. Thanks to fACL lists, you can grant such permissions using the same flags that are used for normal file permissions, i.e. read, write and execute.
Users can set ACL on files and directories they own. Privileged users can set ACL to any file or directory. New files and subdirectories automatically inherit ACL settings from the default ACL setting of the parent directory if the directory has the default settings assigned.
For ACL to work properly, file systems (ext3, ext4, XFS) must be mounted with Filesystem Access Control List enabled.
ACL display
To find out if the file or directory has ACLe assigned, simply execute the command ls -l
:
[eurolinux@el83 acl]$ ls -l
total 0
drwxrwx---+ 2 eurolinux eurolinux 6 Jul 6 14:04 directory
-rw-rw-r--. 1 eurolinux eurolinux 0 Jul 6 14:02 file
In the above case, the plus sign informs about the ACL lists assigned to the directory.
To display these settings, use the command getfacl
:
[eurolinux@el83 acl]$ getfacl directory
# file: directory
# owner: eurolinux
# group: eurolinux
user::rwx
user:eurolinux:rwx
user:eurodb:r-x
group::rwx
group:eurolinux:rwx
mask::rwx
other::---
default:user::rwx
default:user:eurolinux:rwx
default:user:eurodb:r-x
default:group::rwx
default:mask::rwx
default:other::---
If the file does not have ACL assigned, then the command getfacl
will display standard permissions:
[eurolinux@el83 acl]$ getfacl file
# file: file
# owner: eurolinux
# group: eurolinux
user::rw-
group::rw-
other::r--
Broadcasting permissions
Giving permissions to the user:
setfacl -m u:user_name:permissions /path/to/file
Group permission:
setfacl -m g:group_name:permissions /path/to/file
Delete a specific entry:
setfacl -x "wpis" /path/to/file
Delete all ACL entries:
setfacl -b /path/to/file
Combining several entries in one command:
setfacl -Rm g:nazwa_grupy:rX,u:user_name,rwX /path/to/directory
Using the option -R
results in recursive use of ACL settings for the directory. The „large X ” entitlement combined with recursion will cause files with the exercise permission set to keep them and directories will receive the x permission to allow them to be searched.
Restriction of directory access for all other users:
setfacl -Rm o::-,d:o::- /path/to/directory
Exit from the command getfacl
can be used as an entrance to setfacl
to restore ACL settings in a new location. You can also use it to copy ACLi from the source file or directory and save them in a new file, which can be used as a backup.
An additional property that can be determined is the default value. Set for the directory, all files created in it will have specific default permissions. Giving these permissions will not affect existing permissions in the file directory, but only those that are newly created.
Declaring default permissions for the user and group is preceded by the parameter „d ”:
setfacl -Rm d:u:user_name,rwX,d:g:grup_name:rX /path/to/directory
Effective permissions mask
The mask defines the maximum permissions that can be granted to specific users, group owners and specific groups. It does not limit the permissions of the file owner or other users.
The mask can be viewed with a command getfacl
and set using setfacl
. It can also be inherited from the default parent directory mask setting.
Example of mask setting on the directory:
setfacl -Rm m:r directory
Summary
The EuroLinux 8 system kernel provides service Filesystem Access Control Listalso for file systems exported by NFS and Samba. ACL support is activated by default in EuroLinux and components defines in the traditional authorization model, acting as an additional, optional management layer.