POSIX Access Control Lists

In this article, you will learn about POSIX access control lists.

Access Control Lists (ACLs) allow fine-grained permissions to be allocated to a file. ACL provides an additional, more flexible permission mechanism for file systems.
 
Often, standard Linux file permissions are satisfactory for most situations but they have limitations. The file owner can set ACLs on individual files or directories. New files and subdirectories can automatically inherit ACL settings from the parent directory default ACLs if they are set.
 
ACLs use the normal file system representation of permissions, ‘r’ for reading permission, ‘w’ for writing permission, and ‘x’ for executing permission. However, ‘X’ can be used to indicate that the execution permission should only be set on directories and not regular files.
 

Viewing ACL permissions

 
The ls -l command only outputs minimal ACL setting details.
 
POSIX Access Control Lists 
 
The ‘+’ at the end of permission string indicates that there are ACL settings associated with this file.
 
To display ACL settings on a file, use the getfacl file.
 
POSIX Access Control Lists 
 
Let’s start looking at each section.
 
# file: file1.txt
# owner: sudeshna
# group: sudeshna
 
The first three lines are comments that identify the file name, the owner (sudeshna), and group-owner (sudeshna).
 
Note
If there are any additional file flags, for example, setuid or setgid, then a fourth comment line will appear showing which flags are set.
 
user::rw- 1
user:sudeshna:r-x 2
user:1005:r-- 3
 
1 File owner permissions. sudeshna has rw-.
2 Named user permissions. One entry for each named user associated with this file. sudeshna has r-x permissions.
3 Named user permissions. UID 1005 has r-- only.
 
group::rw-
 
Group-owner permissions. sudeshna has rw- permissions only.
 
mask::rwx
 
Mask settings show the maximum permissions possible for all named users, the group-owner and
named groups.
 
other::r--
 
Other or world permissions. All other UIDs and GIDs have read permission only.
 
Note
Similarly, to display ACL settings on a directory, use the getfacl /directory
 

ACL mask

 
The ACL mask defines the maximum permissions that can be granted to named users, the group-owner, and named groups. It does not restrict the permissions of the file owner or other users. All files and directories that implement ACLs will have an ACL mask.
 

Adding or modifying an ACL

 
ACLs can be set via the command line using -m. setfacl -m
 
Notice the below changes to file2.txt . Changes have been made for the named user usr01, named user having 1008 UID.
 
POSIX Access Control Lists 
 
Now, notice the below changes for named groups user and others.
 
POSIX Access Control Lists 
 
We can add multiple entries via the same command, and comma-separate each of the entries,
 
setfacl -m u::rwx,g:user:rX,o::- file2.txt
 
POSIX Access Control Lists 
 
Additionally, the output from getfacl can be used as input to setfacl,
 
getfacl file-A | setfacl --set-file=- file-B
 
You can try this on your own.
 

How to set an explicit ACL mask?

 
An ACL mask can be explicitly set on a file or directory to limit the maximum effective permissions for named users, the group-owner, and named groups. This restricts any existing permissions that exceed the mask.
 
setfacl -m m::r file
 
getfacl will show an “effective” comment. See below.
 
POSIX Access Control Lists 
 

Deleting an ACL

 
ACLs can be deleted via the command line using -x.
 
setfacl -x u:name,g:name file
 
This will delete the named user or named group from the list of file/directory ACLs. See below.
 
POSIX Access Control Lists 
 
To delete ALL ACLs on a file or directory (including default ACLs on directories), use,
 
setfacl -b filename
 
Thank you for reading! Hope you enjoyed it.