Overview
By the end of this article you should be able to answer the following questions:
The xfs and ext4 filesystem
$ man acl
$ setfacl -m user:homer:rw- /tmp/testfile.txt
$ ls -l /tmp/testfile.txt
# look for “+” at the very end of the rwx string.
$ getfacl /tmp/testfile.txt
$ setfacl -x u:homer /tmp/testfile.txt
$ setfacl –-remove-all /tmp/testfile.txt
What is ACL
Access Control List (ACL), is a feature that add’s even greater permission granularity on top of the standard ugo/rwx controls. ACL offers the following:
- an extra granularity of permissions-control. E.g. give a particular user account group/owner/or-other-custom permission levels, even though they fall in “others”.
- Allows you to set default ugo+rwx setting for files and folders created in a specific directory. This essentially over-rides umask settings. This is handy when using it on a shared-team-folder, and complements nicely with SGID and Sticky bit.
$ man acl
It is also good practice to enable acl using tunefs. This will mean that acl is enabled on the filesystem itself. hence if hdd is moved to another pc, it will still have acl enabled even if other machine doesn’t explicit specify the acl option in the /etc/fstab file. However for the XFS filesystem, the acl option is enabled by default. Which is one reason why XFS is a better alternative to the ext4 filesystem.
Creating ACL rules for specific user or group
We use the getacl and setacl commands to manage acl settings for each file/folder:
$ whatis getfacl getfacl (1) - get file access control lists $ whatis setfacl setfacl (1) - set file access control lists
ACL actually inherits standard permissions (ugo/rwx) and uses them as a starting point, and then let’s you apply custom exceptions on top of this base. Before we go any further it is important to realise that ACL is used differently in conjunction to files than to folders.
Using ACL on files
Let’s create a file and view it’s acl info. We’ll create this file as the root user:
$ id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now let’s create this file:
$ touch /tmp/testfile.txt $ ls -l /tmp/testfile.txt -rw-r--r--. 1 root root 0 Apr 11 17:18 testfile.txt
Now let’s check this file’s acl info:
$ getfacl /tmp/testfile.txt # file: testfile.txt # owner: root # group: root user::rw- group::r-- other::r--
As you can see, getacl starts off by showing the standard rwx/ugo info in long format. ACL inherits the rwx/ugo settings in order to build on them. Now let’s say we also want the user “homer” to also have write permission to this file, but no one else. At the moment, homer falls in other, and hence can’t write to this file:
[homer@localhost scripts]$ echo "hello world" > /tmp/testfile.txt -bash: testfile.txt: Permission denied
One approach to achieve this is to create a new group, then add both root and homer into this group, then use chown to change this files group to this new group. This approach is quite tedious and and long winded. The proper way to resolve this is to use setfacl to overlay a custom permission on /tmp/testfile.txt that’s specific to homer only:
[root@localhost scripts]# setfacl -m user:homer:rw- /tmp/testfile.txt
Here we used the (m)odify option to assign “homer”, read+write (rw-) privileges for testfile.txt. Let’s confirm that this file now has special permissions on top of the normal permissions:
$ ls -l /tmp/testfile.txt -rw-rw-r--+ 1 root root 12 Apr 11 17:33 testfile.txt
The “ls -l” now shows a “+” at the end of the permission string. This is an indicator that the setacl command has been used on this file to apply special permissions.
Now let’s check what those special permissions actually are:
[root@localhost scripts]# getfacl testfile.txt # file: testfile.txt # owner: root # group: root user::rw- user:homer:rw- group::r-- mask::rw- other::r--
As you can see a new entry has been added.
Now homer has write permissions:
[homer@localhost ~]$ echo "hello world" > /tmp/testfile.txt [homer@localhost ~]$ cat /tmp/testfile.txt hello world
Deleting and Undoing ACL permissions
You can remove homer’s special permissions like this:
setfacl -x u:homer /tmp/testfile.txt
However to delete all special permissions, you do:
$ setfacl --remove-all /tmp/testfile.txt
Running this command is like not running setfacl on this command in the first place. You can confirm that this has worked by making sure the “+” is no longer displayed:
$ ls -l /tmp/testfile.txt -rw-r--r--. 1 root root 12 Apr 11 17:33 testfile.txt
Also you can check like this:
$ getfacl /tmp/testfile.txt # file: testfile.txt # owner: root # group: root user::rw- group::r-- other::r--
Using setfacl for setting basic permissions
You can use setfacl instead of using chmod for setting basic ugo+rwx permissions.
This is done by not specifying a a group name or username. For example the following:
$ setfacl -m user::rwx /tmp/testfile.txt
Is equivalent to:
$ chmod u=rwx testfile.txt
Copying acl special permissions from one file to another
Another thing you can do is copy the acl permisions from one file to another file, this is done like this:
$ getfacl /tmp/file1 | setfacl --set-file=- /tmp/file2
The “-” in –set-file=- means take the standard input