RHCSA – Access Control List (ACL)

Overview

By the end of this article you should be able to answer the following questions:


01. Which filesystems support acl by default?

The xfs and ext4 filesystem

02. Where can you find help info for acl?

$ man acl

03. What is the command to give the user 'homer', read+write acl permissions to /tmp/testfile.txt?

$ setfacl -m user:homer:rw- /tmp/testfile.txt

04. What is the command to check that this has worked?

$ ls -l /tmp/testfile.txt
# look for “+” at the very end of the rwx string.

05. What is the command to view the special permissions for /tmp/testfile.txt?

$ getfacl /tmp/testfile.txt

06. What is the command to remove all acl permissions from /tmp/testfile.txt for the user, homer?

$ setfacl -x u:homer /tmp/testfile.txt

07. What is the command to remove all acl permissions from /tmp/testfile.txt?

$ setfacl -remove-all /tmp/testfile.txt


What is ACL

Access Control List (ACL), is a feature that add’s even greater permission granularity on top of the standard ugo/rwx controls. ACL offers the following:

  • an extra granularity of permissions-control. E.g. give a particular user account group/owner/or-other-custom permission levels, even though they fall in “others”.
  • Allows you to set default ugo+rwx setting for files and folders created in a specific directory. This essentially over-rides umask settings. This is handy when using it on a shared-team-folder, and complements nicely with SGID and Sticky bit.
$ man acl

It is also good practice to enable acl using tunefs. This will mean that acl is enabled on the filesystem itself. hence if hdd is moved to another pc, it will still have acl enabled even if other machine doesn’t explicit specify the acl option in the /etc/fstab file. However for the XFS filesystem, the acl option is enabled by default. Which is one reason why XFS is a better alternative to the ext4 filesystem.

Creating ACL rules for specific user or group

We use the getacl and setacl commands to manage acl settings for each file/folder:

$ whatis getfacl
getfacl (1)          - get file access control lists
$ whatis setfacl
setfacl (1)          - set file access control lists

ACL actually inherits standard permissions (ugo/rwx) and uses them as a starting point, and then let’s you apply custom exceptions on top of this base. Before we go any further it is important to realise that ACL is used differently in conjunction to files than to folders.

Using ACL on files

Let’s create a file and view it’s acl info. We’ll create this file as the root user:

$ id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Now let’s create this file:

$ touch /tmp/testfile.txt
$ ls -l /tmp/testfile.txt
-rw-r--r--. 1 root root 0 Apr 11 17:18 testfile.txt

Now let’s check this file’s acl info:

$ getfacl /tmp/testfile.txt
# file: testfile.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

As you can see, getacl starts off by showing the standard rwx/ugo info in long format. ACL inherits the rwx/ugo settings in order to build on them. Now let’s say we also want the user “homer” to also have write permission to this file, but no one else. At the moment, homer falls in other, and hence can’t write to this file:

[homer@localhost scripts]$ echo "hello world" > /tmp/testfile.txt
-bash: testfile.txt: Permission denied

One approach to achieve this is to create a new group, then add both root and homer into this group, then use chown to change this files group to this new group. This approach is quite tedious and and long winded. The proper way to resolve this is to use setfacl to overlay a custom permission on /tmp/testfile.txt that’s specific to homer only:

[root@localhost scripts]# setfacl -m user:homer:rw-  /tmp/testfile.txt

Here we used the (m)odify option to assign “homer”, read+write (rw-) privileges for testfile.txt. Let’s confirm that this file now has special permissions on top of the normal permissions:

$ ls -l /tmp/testfile.txt
-rw-rw-r--+ 1 root root 12 Apr 11 17:33 testfile.txt

The “ls -l” now shows a “+” at the end of the permission string. This is an indicator that the setacl command has been used on this file to apply special permissions.

Now let’s check what those special permissions actually are:

[root@localhost scripts]# getfacl testfile.txt
# file: testfile.txt
# owner: root
# group: root
user::rw-
user:homer:rw-
group::r--
mask::rw-
other::r--

As you can see a new entry has been added.

Now homer has write permissions:

[homer@localhost ~]$ echo "hello world" > /tmp/testfile.txt
[homer@localhost ~]$ cat /tmp/testfile.txt
hello world

Deleting and Undoing ACL permissions

You can remove homer’s special permissions like this:

setfacl -x u:homer /tmp/testfile.txt

However to delete all special permissions, you do:

$ setfacl --remove-all /tmp/testfile.txt

Running this command is like not running setfacl on this command in the first place. You can confirm that this has worked by making sure the “+” is no longer displayed:

$ ls -l /tmp/testfile.txt
-rw-r--r--. 1 root root 12 Apr 11 17:33 testfile.txt

Also you can check like this:

$ getfacl /tmp/testfile.txt
# file: testfile.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

Using setfacl for setting basic permissions

You can use setfacl instead of using chmod for setting basic ugo+rwx permissions.
This is done by not specifying a a group name or username. For example the following:

$ setfacl -m user::rwx /tmp/testfile.txt

Is equivalent to:

$ chmod u=rwx testfile.txt

Copying acl special permissions from one file to another

Another thing you can do is copy the acl permisions from one file to another file, this is done like this:

$ getfacl /tmp/file1 | setfacl --set-file=- /tmp/file2

The “-” in –set-file=- means take the standard input