ObjectiveIntroduction to the management of ACLs ( Access Control List ) on Linux
Operating System and Software Versions
- Operating System: - Linux distribution agnostic
- Root access on a working Linux installation
- Knowledge of Discretionary permission system
- A filesystem which supports ACLs (e.g xfs, ext2, ext3, ext4), mounted with the ‘acl’ option
- Having the ‘acl’ package installed
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
- $ - requires given linux commands to be executed as a regular non-privileged user
IntroductionIn this tutorial we will see what ACLs are, and how to do the basic manipulation of this kind of permissions on a Linux platform. The below instructions will work on any Linux distribution. I‘m assuming you know and are comfortable using standard Linux discretionary ugo/rwx permissions.
So, what are ACLs ?ACLs are a second level of discretionary permissions, that may override the standard ugo/rwx ones. When used correctly they can grant you a better granularity in setting access to a file or a directory, for example by giving or denying access to a specific user that is neither the file owner, nor in the group owner.
Getting startedThe first thing you have to do, if you want to take advantage of ACLs is to make sure that the filesystem you want to use them on, has been mounted with the ‘acl’ option. To verify the latter you can run the ‘tune2fs -l’ command, passing the partition as argument. As you can see running (output truncated):
# tune2fs -l /dev/sda3
gives the following result on my system, showing that the filesystem on /dev/sda3 has, among the default mount options, also ‘acl’.
If your filesystem has not been mounted with the ‘acl’ option, you can re-mount it giving the needed option:
# mount -o remount -o acl /dev/sda1However, notice that the mount options set this way, will not be persistent, and will not survive a reboot. If you want to obtain persistence, you have to modify the filesystem mount options in /etc/fstab, assigning the ‘acl’ option statically.
Another thing we need, is to install the
aclpackage. This package contains various ACLs utilities like the
A test caseLet’s see what ACLs can do for us. First we will create a file named text.cfg and we will give it as an argument to the
getfaclcommand. Let’s see what the output of this command shows:
$ touch text.cfg && getfacl text.cfg
As you can see, since we didn’t set any ACL permission on the file, the command just displays the standard permissions values, plus the file owner and the group owner, both having read and write permissions. Now let’s imagine we want to give a specific user (I will create this user on purpose and call him
dummy), a specific set of privileges on the file. We will just have to run:
$ setfacl -m u:dummy:rw text.cfgLet’s analyze the command: first we have, of course, the name of the program
setfacl, which is pretty self-explanatory, than we passed the
-moption (short for
--modify) which allows us to change the ACLs of a file, than the permission descriptions
We have three ‘sections’ divided by colons: in the first one, the
ustands for user, specifying that we want to set the ACLs for a specific user. It could have been a
gfor group, or an
others. In the second section we have the name of the user whom we want to set the permissions for, and in the third, the permissions to assign.
Finally, the name of the file on which we want to apply the permissions.
If we now try to run the ‘getfacl’ command, we can see that its output reflects the changes we made:
$ getfacl text.cfg
An entry has been added for the
dummyuser, showing the permissions we assigned to him. Other than that, if you notice, also an entry for
maskhas appeared. What does it stand for ? The mask associated with an ACL limits the set of permissions that can be assigned on the file for the the named groups and users and for the group owner, but has no effect on the permissions for the file owner and the
In this case, only reading and writing permissions could be assigned with setfacl command. Of course we can change this option, using
$ setfacl -m mask:r text.cfgWith the command above, we set the mask to allow only reading permissions. Let’s check the output of
$ getfacl text.cfg
As you can see, not only the changes we made to the mask is now reported, but also the effective permissions for the group owner and the named user
dummyare showed. Although the group owner and the
dummyuser have reading and writing permissions on the file, by changing the mask, we have effectively limited their permissions to read only. As the output of the command shows, they now are only allowed to read the file.
Other than explicitly changed with the command above, the ACLs mask also gets automatically re-calculated when we assign or change permissions with setfacl (unless the -n option is specified). Let’s demonstrate that: we will change the permissions of the
rwxand then check the getfacl output:
$ setfacl -m u:dummy:rwx text.cfg && getfacl text.cfg
As you can see the mask got re-calculated and it now reflects the maximum permissions present for the named user
dummy. Obviously, since now no previously set permissions are higher than the mask, there is no need for showing the
You can also use ACL to completely deny access to a file for a specific named user or group. For example, by running:
$ setfacl -m u:dummy:- text.cfgwe effectively deny all privileges to the
dummyuser on the text.cfg file.
defaultACL is a specific type of permission assigned to a directory, that doesn’t change the permissions of the directory itself, but makes so that specified ACLs are set by default on all the files created inside of it. Let’s demonstrate it: first we are going to create a directory and assign
defaultACL to it by using the
$ mkdir test && setfacl -d -m u:dummy:rw testnow, we can examine the output of the getfacl for that directory:
$ getfacl test
defaultpermissions has been assigned correctly. Now we can verify them by creating a file inside of the test directory and checking its permissions by running getfacl:
$ touch test/file.cfg && getfacl test/file.cfg
As expected, the file has been created automatically receiving the ACLs permissions specified above.
When you want to erase all the ACLs set, you can always run the setfacl with the
This tutorial covers the main aspects of ACLs, and of course there is a lot more about them to know, so I suggest, as always, to read the manual for a more in-deep knowledge. By now just remember that if you want to remove all the ACLs permissions assigned to a file, you just have to run