- Access Control Lists
- Installation
- Enable ACL
- Usage
- Set ACL
- Show ACL
- Examples
- Output of ls command
- Execution permissions for private files
- See also
- FilePermissionsACLs
- Enabling ACLs in the Filesystem
- ACL Entries
- Listing ACLs
- Adding a Group to an ACL
- Removing a Group from an ACL
- Transfer of ACL attributes from a specification file
- Copying ACLs from one file or directory to another
- Copying an ACL into the Default ACL
- References
Access Control Lists
Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource.
Installation
The acl package is a dependency of systemd, it should already be installed.
Enable ACL
To enable ACL, the filesystem must be mounted with the acl option. You can use fstab entries to make it permanent on your system.
There is a possibility that the acl option is already active as one of the default mount options on the filesystem. Btrfs and Ext2/3/4 filesystems are affected by this. Use the following command to check ext2/3/4 formatted partitions for the option:
# tune2fs -l /dev/sdXY | grep "Default mount options:"
Default mount options: user_xattr acl
Also check that the default mount options are not overridden, in such case you will see noacl in /proc/mounts in the relevant line.
You can set the default mount options of a filesystem using the tune2fs -o option partition command, for example:
# tune2fs -o acl /dev/sdXY
Using the default mount options instead of an entry in /etc/fstab is very useful for external drives, such partition will be mounted with acl option also on other Linux machines. There is no need to edit /etc/fstab on every machine.
- acl is specified as a default mount option when creating an ext2/3/4 filesystem. This is configured in /etc/mke2fs.conf .
- The default mount options are not listed in /proc/mounts .
Usage
Set ACL
The ACL can be modified using the setfacl command.
- You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the —test flag.
- To apply operations to all files and directories recursively, append the -R / —recursive argument.
To set permissions for a user ( user is either the user name or ID):
# setfacl -m "u:user:permissions"
To set permissions for a group ( group is either the group name or ID):
# setfacl -m "g:group:permissions"
To set permissions for others:
# setfacl -m "other:permissions"
To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):
To remove a specific entry:
To remove the default entries:
To remove all entries (entries of the owner, group and others are retained):
The factual accuracy of this article or section is disputed.
Reason: The original note about the —mask option (which was taken from setfacl(1) ) was determined as inaccurate, but the new note does not seem correct either. See the talk page for details. (Discuss in Talk:Access Control Lists#ACL mask entry)
Note: The default behavior of setfacl is to recalculate the ACL mask entry, unless a —mask entry was explicitly given. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. Unless explicitly set, this will match the permissions of the default group. To clarify what this means, suppose the group owning a directory has r-x permissions. If you add an ACL user or group with rwx permissions, the effective permissions of this user or group will be r-x . The reason for this is so that there are no surprises when a file from a system which does not support ACLs is made available on a system which does..
Show ACL
Examples
Set all permissions for user johnny to file named abc :
# file: abc # owner: someone # group: someone user::rw- user:johnny:rwx group::r-- mask::rwx other::r--
Change permissions for user johnny :
# file: abc # owner: someone # group: someone user::rw- user:johnny:r-x group::r-- mask::r-x other::r--
# file: abc # owner: someone # group: someone user::rw- group::r-- other::r--
Output of ls command
You will notice that there is an ACL for a given file because it will exhibit a + (plus sign) after its Unix permissions in the output of ls -l .
crw-rw----+ 1 root audio 14, 4 nov. 9 12:49 /dev/audio
getfacl: Removing leading '/' from absolute path names # file: dev/audio # owner: root # group: audio user::rw- user:solstice:rw- group::rw- mask::rw- other::---
Execution permissions for private files
The following technique describes how a process like a web server can be granted access to files that reside in a user’s home directory, without compromising security by giving the whole world access.
In the following we assume that the web server runs as the user http and grant it access to geoffrey ‘s home directory /home/geoffrey .
The first step is granting execution permissions for the user http :
# setfacl -m "u:http:--x" /home/geoffrey
Note: Execution permissions to a directory are necessary for a process to list the directory’s content.
Since the user http is now able to access files in /home/geoffrey , others no longer need access:
Use getfacl to verify the changes:
getfacl: Removing leading '/' from absolute path names # file: home/geoffrey # owner: geoffrey # group: geoffrey user::rwx user:http:--x group::r-x mask::r-x other::---
As the above output shows, other ‘s no longer have any permissions, but the user http is still able to access the files, thus security might be considered increased.
If you need to give write access for the user http on specific directories and/or files, run:
# setfacl -dm "u:http:rwx" /home/geoffrey/project1/cache
See also
FilePermissionsACLs
POSIX Access Control Lists (ACLs) are more fine-grained access rights for files and directories. An ACL consists of entries specifying access permissions on an associated object. ACLs can be configured per user, per group or via the effective rights mask.
These permissions apply to an individual user or a group, and use the same as rwx found in regular permissions.
For an explanation of rwx, see FilePermissions
Enabling ACLs in the Filesystem
Before beginning to work with ACLs the file system must be mounted with ACLs turned on. This can be done in /etc/fstab for the changes to be permanent.
0) It may be necessary to install acl utilities from the repositories. In the Server Edition, this must be done, but in the desktop editions acl is installed by default.
1) Add the option acl to the partition(s) on which you want to enable ACL in /etc/fstab. For example:
. UUID=07aebd28-24e3-cf19-e37d-1af9a23a45d4 /home ext4 defaults,acl 0 2 .
As of Ubuntu 14.04 and for ext4, the above is not required as acl are already default:
sudo tune2fs -l /dev/sdaX |grep acl Default mount options: user_xattr acl
2) If necessary, remount partition(s) on which ACLs were enabled for them to take effect. For example:
$ sudo mount -o remount /home
3) Verify that ACLs are enabled on the partition(s):
ACL Entries
ACL entries consist of a user (u), group (g), other (o) and an effective rights mask (m). An effective rights mask defines the most restrictive level of permissions. setfacl sets the permissions for a given file or directory. getfacl shows the permissions for a given file or directory.
Defaults for a given object can be defined.
ACLs can be applied to users or groups but it is easier to manage groups. Groups scale better than continuously adding or subtracting users.
Listing ACLs
The utility getfacl lists the ACLs for a given file or directory.
$ getfacl /var/www getfacl: Removing leading '/' from absolute path names # file: var/www # owner: root # group: root user::rwx group::r-x group:green:rwx mask::rwx other::r-x
This following ACL also has defaults set:
$ getfacl /var/www getfacl: Removing leading '/' from absolute path names # file: var/www # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:green:rwx default:mask::rwx default:other::r-x
Adding a Group to an ACL
The utility setfacl is used to add the groups blue and green to the ACL for the directory /var/www.
$ sudo setfacl -m g:green:rwx /var/www/ $ sudo setfacl -m g:blue:rwx /var/www/ $ sudo getfacl /var/www/ getfacl: Removing leading '/' from absolute path names # file: var/www/ # owner: root # group: root user::rwx group::r-x group:green:rwx group:blue:rwx mask::rwx other::r-x
Removing a Group from an ACL
The option -x removes groups or users from a given ACL. Below, the group green is removed from the directory /var/www.
Transfer of ACL attributes from a specification file
Transfer of ACL attributes from a specification file takes two steps. In this example, the specification file is called acl.
First, create a file containing the ACL to be used.
Then, read the contents of the file into setfacl to set the ACL for directory /path/to/dir
Output from getfacl is accepted, when reading from files using -M.
Copying ACLs from one file or directory to another
Copy an ACL from dir1 to dir2 uses the -M option. Output from getfacl is accepted as input for setfacl when using -M.
getfacl dir1 | setfacl -b -n -M - dir2
-b clear ACLs, -n do not recalculate effective rights mask, — read from stdin
Or it can be done like this:
getfacl file1 | setfacl --set-file=- file2
Copying an ACL into the Default ACL
Once the ACLs are the way they need to be, they can be set as the default. Defaults are inherited, so a new directory will inherit the defaults of the parent directory.
getfacl -a /path/to/dir | setfacl -d -M- /path/to/dir
References
FilePermissionsACLs (последним исправлял пользователь proxy 2015-08-21 06:32:36)
The material on this wiki is available under a free license, see Copyright / License for details
You can contribute to this wiki, see Wiki Guide for details