Access Control List (ACL)

A

What is ACL?

POSIX Access Control List (ACL) is a Linux feature that allows different permissions for different users or different groups, even if they do not match the original owner or the owner group of that file or directory. Actually, with ACL we can add more granular permissions that go over the well-known ugo/rwx controls.

For example, John created a file. He does not allow anyone in the group to access the file, except for another user, called Ben (even if there are other users belonging to the John group). This means that, in addition to the permissions of that file (rwx for owner, group, others), other users and groups may have access allowed or refused by using POSIX ACL.

The command to learn more about ACL:

man acl

ACL is enabled by default on modern Linux distributions (starting with kernel 2.6), so it is no longer required to define it in the /etc/fstab file. An example of defining ACL in /etc/fstab:

/dev/root / ext4 acl,errors=remount-ro 0 1

How do we find out if the file system used has ACL enabled?

Let’s suppose that you want to convince yourself that your distribution or the file system you are working with has ACL enabled – the usual configuration is on /boot. We have 2 possibilities:

a. cat /boot/config* | grep _ACL

At the exit we will have:

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL =y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
[…]

b. We use the tune2fs utility (usually it is preinstalled on most distributions):

# tune2fs -l /dev/sdXY | grep “Default mount options:”

Example below:

[[email protected] ~]#
[[email protected] ~]# tune2fs -l /dev/sdb1 | grep “Default mount options:”
Default mount options: user_xattr acl
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# tune2fs -l /dev/sda9 | grep “Default mount options:”
Default mount options: user_xattr acl
[[email protected] ~]#

Enabling ACL for a partition /file system using the tune2fs utility:

#tune2fs -o acl /dev/sdXY

Types of ACLs

There are two types of ACL: access ACL and default ACL:

• access ACL is used to assign permissions to a specific file or directory;
• default ACL is used only in directories, and if a file inside this directory does not have ACL set up, it will inherit the default ACL permissions assigned to the directory that contains it.

Commands

There are two commands that we will use: one to see the ACL settings (getfacl), and the other one to change the ACL settings of a Linux file or directory (setfacl):

# whatis getfacl

getfacl (1) – get file access control lists # whatis setfacl
setfacl (1) – set file access control lists

ACL will use the known standard permissions for user, group, others – read, write, execute (ugo/rwx) and use them as a starting point, then apply custom exceptions over them.

A good idea is to keep for the future the values in the table below, values that allow us to assign or change ACL values using the setfacl command:

Recent Posts

Archives

Categories