ACL – file access control lists, extended permissions

Standard permissions for files on Linux are sufficient when files are used by only one owner and one user group. However, sometimes it is required that access to files is possible with different sets of permissions for many different users and groups. Thanks to fACL lists, you can grant such permissions using the same flags that are used for normal file permissions, i.e. read, write and execute.

Standard permissions for files on Linux are sufficient when files are used by only one owner and one user group. However, sometimes it is required that access to files is possible with different sets of permissions for many different users and groups. Thanks to fACL lists, you can grant such permissions using the same flags that are used for normal file permissions, i.e. read, write and execute.

Users can set ACL on files and directories they own. Privileged users can set ACL to any file or directory. New files and subdirectories automatically inherit ACL settings from the default ACL setting of the parent directory if the directory has the default settings assigned.

For ACL to work properly, file systems (ext3, ext4, XFS) must be mounted with Filesystem Access Control List enabled.

ACL display

To find out if the file or directory has ACLe assigned, simply execute the command ls -l:

[eurolinux@el83 acl]$ ls -l
total 0
drwxrwx---+ 2 eurolinux eurolinux 6 Jul 6 14:04 directory
-rw-rw-r--. 1 eurolinux eurolinux 0 Jul 6 14:02 file

In the above case, the plus sign informs about the ACL lists assigned to the directory.

To display these settings, use the command getfacl:

[eurolinux@el83 acl]$ getfacl directory
# file: directory
# owner: eurolinux
# group: eurolinux
user::rwx
user:eurolinux:rwx
user:eurodb:r-x
group::rwx
group:eurolinux:rwx
mask::rwx
other::---
default:user::rwx
default:user:eurolinux:rwx
default:user:eurodb:r-x
default:group::rwx
default:mask::rwx
default:other::---

If the file does not have ACL assigned, then the command getfaclwill display standard permissions:

[eurolinux@el83 acl]$ getfacl file
# file: file
# owner: eurolinux
# group: eurolinux
user::rw-
group::rw-
other::r--

Broadcasting permissions

Giving permissions to the user:

setfacl -m u:user_name:permissions /path/to/file

Group permission:

setfacl -m g:group_name:permissions /path/to/file

Delete a specific entry:

setfacl -x "wpis" /path/to/file

Delete all ACL entries:

setfacl -b /path/to/file

Combining several entries in one command:

setfacl -Rm g:nazwa_grupy:rX,u:user_name,rwX /path/to/directory

Using the option -R results in recursive use of ACL settings for the directory. The „large X ” entitlement combined with recursion will cause files with the exercise permission set to keep them and directories will receive the x permission to allow them to be searched.

Restriction of directory access for all other users:

setfacl -Rm o::-,d:o::- /path/to/directory

Exit from the command getfacl can be used as an entrance to setfacl to restore ACL settings in a new location. You can also use it to copy ACLi from the source file or directory and save them in a new file, which can be used as a backup.

An additional property that can be determined is the default value. Set for the directory, all files created in it will have specific default permissions. Giving these permissions will not affect existing permissions in the file directory, but only those that are newly created.

Declaring default permissions for the user and group is preceded by the parameter „d ”:

setfacl -Rm d:u:user_name,rwX,d:g:grup_name:rX /path/to/directory

Effective permissions mask

The mask defines the maximum permissions that can be granted to specific users, group owners and specific groups. It does not limit the permissions of the file owner or other users.

The mask can be viewed with a command getfacl and set using setfacl. It can also be inherited from the default parent directory mask setting.

Example of mask setting on the directory:

setfacl -Rm m:r directory

Summary

The EuroLinux 8 system kernel provides service Filesystem Access Control Listalso for file systems exported by NFS and Samba. ACL support is activated by default in EuroLinux and components defines in the traditional authorization model, acting as an additional, optional management layer.

blank Authors

The blog articles are written by people from the EuroLinux team. We owe 80% of the content to our developers, the rest is prepared by the sales or marketing department. We make every effort to ensure that the content is the best in terms of content and language, but we are not infallible. If you see anything that needs to be corrected or clarified, we'd love to hear from you.