- Access Control Lists – ACL¶
- Getting ACL information¶
- Get ACL information with getfacl :¶
- Setting ACL information¶
- Set ACL with setfacl -m (modify):¶
- Removing ACL information¶
- Remove ACL permissions with setfacl -x :¶
- Remove all ACL rules with setfacl -b :¶
- Access Control Lists
- Installation
- Enable ACL
- Usage
- Set ACL
- Show ACL
- Examples
- Output of ls command
- Execution permissions for private files
- See also
Access Control Lists – ACL¶
Access Control Lists (ACL) are available on Pegasus and Triton file systems. They allow file owners to grant permissions to specific users and groups. When combining standard Linux permissions and ACL permissions, effective permissions are the intersection (or overlap) of the two. cp (copy) and mv (move/rename) will include any ACLs associated with files and directories.
Getting ACL information¶
ACL permissions start the same as the standard Linux permissions shown by ls -l output.
Get ACL information with getfacl :¶
[username@pegasus ~]$ getfacl mydir # file: mydir # owner: username # group: mygroup user::rwx group::rw- other::--x
Initial ACL permissions on mydir match the standard permissions shown by ls -ld :
[username@pegasus ~]$ ls -ld mydir drwxrw---x 2 username mygroup mydir
Setting ACL information¶
Once an ACL has been set for a file or directory, a + symbol will show at the end of standard Linux permissions.
Set ACL with setfacl -m (modify):¶
Set for user mycollaborator permissions rwx on mydir , directory only:
[username@pegasus ~]$ setfacl -m user:mycollaborator:rwx mydir
This will set an ACL for only the directory, not any files in the directory.
[username@pegasus ~]$ ls -ld mydir drwxrw---x+ 2 username mygroup mydir [username@pegasus ~]$ getfacl mydir # file: mydir # owner: username # group: mygroup user::rwx user:mycollaborator:rwx group::rw- mask::rwx other::r--
Note the + symbol at the end of standard permissions, which indicates an ACL has been set. Also note the line user:mycollaborator:rwx in the getfacl mydir output.
Files within mydir remain unchanged (no ACL has been set). getfacl on these files returns standard Linux permissions:
[username@pegasus ~]$ ls -l mydir total 0 -rwxrw-r-- 1 username mygroup myfile2.txt -rwxrw-r-- 1 username mygroup myfile.txt [username@pegasus ~]$ getfacl mydir/myfile.txt # file: mydir/myfile.txt # owner: username # group: mygroup user::rwx group::rw- other::r--
Set for user mycollaborator permissions rwX on mydir , recursively (all contents):
[username@pegasus ~]$ setfacl -Rm user:mycollaborator:rwX mydir
This will set an ACL for the directory and all files in the directory. Permissions for setfacl :
- r read
- w write
- X (capital) execute/search only if the file is a directory, or already has execute permission
[username@pegasus ~]$ ls -l mydir total 0 -rwxrw-r--+ 1 username mygroup myfile2.txt -rwxrw-r--+ 1 username mygroup myfile.txt
Note the + symbol after file permissions, indicating an ACL has been set. getfacl on these files returns ACL permissions:
[username@pegasus ~]$ getfacl mydir/myfile.txt # file: mydir/myfile.txt # owner: username # group: mygroup user::rwx user:mycollaborator:rwx group::rw- mask::rwx other::r--
Note the line user:mycollaborator:rwx for myfile.txt .
Recall that when combining standard Linux permissions and ACL permissions, effective permissions are the intersection of the two. If user (u) permissions are changed to rw-, the effective permissions for user:mycollaborator are rw- (the intersection of rwx and rw- is rw- ).
[username@pegasus ~]$ chmod u=rw mydir/myfile.txt [username@pegasus ~]$ getfacl mydir/myfile.txt # file: myfile.txt # owner: username # group: mygroup user::rw- user:mycollaborator:rwx group::rw- mask::rwx other::r--
Note the line user::rw- , indicating users do not have permission to execute this file.
Removing ACL information¶
Use setfacl to remove ACL permissions with flags -x (individual ACL permissions) or -b (all ACL rules).
Remove ACL permissions with setfacl -x :¶
This flag can remove all permissions, but does not remove the ACL.
Remove permissions for user mycollaborator on mydir , directory only:
[username@pegasus ~]$ setfacl -x user:mycollaborator mydir [username@pegasus ~]$ getfacl mydir # file: mydir # owner: username # group: mygroup user::rwx group::rw- mask::rwx other::--x [username@pegasus ~]$ ls -ld mydir drwxrwx--x+ 2 username mygroup mydir
Note user:mycollaborator:rwx has been removed, but mask::rwx remains in the getfacl output. In ls -ld output, the + symbol remains because the ACL has not been removed.
Remove all ACL rules with setfacl -b :¶
This flag removes the entire ACL, leaving permissions governed only by standard Linux file permissions.
Remove all ACL rules for mydir , directory only:
[username@pegasus ~]$ setfacl -b mydir [username@pegasus ~]$ ls -ld mydir drwxrwx--x 2 username mygroup mydir [username@pegasus ~]$ getfacl mydir # file: mydir # owner: username # group: mygroup user::rwx group::rwx other::--x
Note the + symbol is gone from ls -ld output, indicating only standard Linux permissions apply (no ACL). The mask line is gone from getfacl output.
Remove all ACL rules for mydir , recursively (all contents):
[username@pegasus ~]$ setfacl -Rb mydir [username@pegasus ~]$ ls -l mydir total 0 -rwxrwxr-- 1 username mygroup myfile2.txt -rwxrwxr-- 1 username mygroup myfile.txt
Note the + symbols are gone for the contents of mydir , indicating only standard Linux permissions apply (no ACLs).
For more information, reference the manual pages for getfacl and setfacl: man getfacl and man setfacl .
© Copyright 2023 Revision cebb4199 .
Versions latest stable Downloads pdf html epub On Read the Docs Project Home Builds Free document hosting provided by Read the Docs.
Access Control Lists
Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource.
Installation
The acl package is a dependency of systemd, it should already be installed.
Enable ACL
To enable ACL, the filesystem must be mounted with the acl option. You can use fstab entries to make it permanent on your system.
There is a possibility that the acl option is already active as one of the default mount options on the filesystem. Btrfs and Ext2/3/4 filesystems are affected by this. Use the following command to check ext2/3/4 formatted partitions for the option:
# tune2fs -l /dev/sdXY | grep "Default mount options:"
Default mount options: user_xattr acl
Also check that the default mount options are not overridden, in such case you will see noacl in /proc/mounts in the relevant line.
You can set the default mount options of a filesystem using the tune2fs -o option partition command, for example:
# tune2fs -o acl /dev/sdXY
Using the default mount options instead of an entry in /etc/fstab is very useful for external drives, such partition will be mounted with acl option also on other Linux machines. There is no need to edit /etc/fstab on every machine.
- acl is specified as a default mount option when creating an ext2/3/4 filesystem. This is configured in /etc/mke2fs.conf .
- The default mount options are not listed in /proc/mounts .
Usage
Set ACL
The ACL can be modified using the setfacl command.
- You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the —test flag.
- To apply operations to all files and directories recursively, append the -R / —recursive argument.
To set permissions for a user ( user is either the user name or ID):
# setfacl -m "u:user:permissions"
To set permissions for a group ( group is either the group name or ID):
# setfacl -m "g:group:permissions"
To set permissions for others:
# setfacl -m "other:permissions"
To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):
To remove a specific entry:
To remove the default entries:
To remove all entries (entries of the owner, group and others are retained):
The factual accuracy of this article or section is disputed.
Reason: The original note about the —mask option (which was taken from setfacl(1) ) was determined as inaccurate, but the new note does not seem correct either. See the talk page for details. (Discuss in Talk:Access Control Lists#ACL mask entry)
Note: The default behavior of setfacl is to recalculate the ACL mask entry, unless a —mask entry was explicitly given. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. Unless explicitly set, this will match the permissions of the default group. To clarify what this means, suppose the group owning a directory has r-x permissions. If you add an ACL user or group with rwx permissions, the effective permissions of this user or group will be r-x . The reason for this is so that there are no surprises when a file from a system which does not support ACLs is made available on a system which does..
Show ACL
Examples
Set all permissions for user johnny to file named abc :
# file: abc # owner: someone # group: someone user::rw- user:johnny:rwx group::r-- mask::rwx other::r--
Change permissions for user johnny :
# file: abc # owner: someone # group: someone user::rw- user:johnny:r-x group::r-- mask::r-x other::r--
# file: abc # owner: someone # group: someone user::rw- group::r-- other::r--
Output of ls command
You will notice that there is an ACL for a given file because it will exhibit a + (plus sign) after its Unix permissions in the output of ls -l .
crw-rw----+ 1 root audio 14, 4 nov. 9 12:49 /dev/audio
getfacl: Removing leading '/' from absolute path names # file: dev/audio # owner: root # group: audio user::rw- user:solstice:rw- group::rw- mask::rw- other::---
Execution permissions for private files
The following technique describes how a process like a web server can be granted access to files that reside in a user’s home directory, without compromising security by giving the whole world access.
In the following we assume that the web server runs as the user http and grant it access to geoffrey ‘s home directory /home/geoffrey .
The first step is granting execution permissions for the user http :
# setfacl -m "u:http:--x" /home/geoffrey
Note: Execution permissions to a directory are necessary for a process to list the directory’s content.
Since the user http is now able to access files in /home/geoffrey , others no longer need access:
Use getfacl to verify the changes:
getfacl: Removing leading '/' from absolute path names # file: home/geoffrey # owner: geoffrey # group: geoffrey user::rwx user:http:--x group::r-x mask::r-x other::---
As the above output shows, other ‘s no longer have any permissions, but the user http is still able to access the files, thus security might be considered increased.
If you need to give write access for the user http on specific directories and/or files, run:
# setfacl -dm "u:http:rwx" /home/geoffrey/project1/cache