Skip to content

access control lists

(Written by Paul Cobbaut, https://github.com/paulcobbaut/, with contributions by: Alex M. Schapelle, https://github.com/zero-pytagoras/)

Standard Unix permissions might not be enough for some organisations. This chapter introduces access control lists or acl's to further protect files and directories.

acl in /etc/fstab

File systems that support access control lists, or acls, have to be mounted with the acl option listed in /etc/fstab. In the example below, you can see that the root file system has acl support, whereas /home/data does not.

root@linux:~# tail -4 /etc/fstab
/dev/sda1        /              ext3     acl,relatime    0  1
/dev/sdb2        /home/data     auto     noacl,defaults  0  0
pasha:/home/r    /home/pasha    nfs      defaults        0  0
wolf:/srv/data   /home/wolf     nfs      defaults        0  0

getfacl

Reading acls can be done with /usr/bin/getfacl. This screenshot shows how to read the acl of file33 with getfacl.

student@linux:~/test$ getfacl file33
# file: file33
# owner: paul
# group: paul
user::rw-
group::r--
mask::rwx
other::r--

setfacl

Writing or changing acls can be done with /usr/bin/setfacl. These screenshots show how to change the acl of file33 with setfacl.

First we add user sandra with octal permission 7 to the acl.

student@linux:~/test$ setfacl -m u:sandra:7 file33

Then we add the group tennis with octal permission 6 to the acl of the same file.

student@linux:~/test$ setfacl -m g:tennis:6 file33

The result is visible with getfacl.

student@linux:~/test$ getfacl file33 
# file: file33
# owner: paul
# group: paul
user::rw-
user:sandra:rwx
group::r--
group:tennis:rw-
mask::rwx
other::r--

remove an acl entry

The -x option of the setfacl command will remove an acl entry from the targeted file.

student@linux:~/test$ setfacl -m u:sandra:7 file33 
student@linux:~/test$ getfacl file33 | grep sandra
user:sandra:rwx
student@linux:~/test$ setfacl -x sandra file33
student@linux:~/test$ getfacl file33 | grep sandra

Note that omitting the u or g when defining the acl for an account will default it to a user account.

remove the complete acl

The -b option of the setfacl command will remove the acl from the targeted file.

student@linux:~/test$ setfacl -b file33 
student@linux:~/test$ getfacl file33 
# file: file33
# owner: paul
# group: paul
user::rw-
group::r--
other::r--

the acl mask

The acl mask defines the maximum effective permissions for any entry in the acl. This mask is calculated every time you execute the setfacl or chmod commands.

You can prevent the calculation by using the --no-mask switch.

student@linux:~/test$ setfacl --no-mask -m u:sandra:7 file33
student@linux:~/test$ getfacl file33
# file: file33
# owner: paul
# group: paul
user::rw-
user:sandra:rwx         #effective:rw-
group::r--
mask::rw-
other::r--

eiciel

Desktop users might want to use eiciel to manage acls with a graphical tool.

You will need to install eiciel and nautilus-actions to have an extra tab in nautilus to manage acls.

student@linux:~$ sudo aptitude install eiciel nautilus-actions