POSIX Access Control Lists

Access Control Lists (ACLs) allow fine-grained permissions to be allocated to a file. ACL provides an additional, more flexible permission mechanism for file systems.
Often, standard Linux file permissions are satisfactory for most situations but they have limitations. The file owner can set ACLs on individual files or directories. New files and subdirectories can automatically inherit ACL settings from the parent directory default ACLs if they are set.
ACLs use the normal file system representation of permissions, ‘r’ for reading permission, ‘w’ for writing permission, and ‘x’ for executing permission. However, ‘X’ can be used to indicate that the execution permission should only be set on directories and not regular files.

Viewing ACL permissions

The ls -l command only outputs minimal ACL setting details.
POSIX Access Control Lists 
The ‘+’ at the end of permission string indicates that there are ACL settings associated with this file.
To display ACL settings on a file, use the getfacl file.
POSIX Access Control Lists 
Let’s start looking at each section.
# file: file1.txt
# owner: sudeshna
# group: sudeshna
The first three lines are comments that identify the file name, the owner (sudeshna), and group-owner (sudeshna).
If there are any additional file flags, for example, setuid or setgid, then a fourth comment line will appear showing which flags are set.
user::rw- 1
user:sudeshna:r-x 2
user:1005:r-- 3
1 File owner permissions. sudeshna has rw-.
2 Named user permissions. One entry for each named user associated with this file. sudeshna has r-x permissions.
3 Named user permissions. UID 1005 has r-- only.
Group-owner permissions. sudeshna has rw- permissions only.
Mask settings show the maximum permissions possible for all named users, the group-owner and
named groups.
Other or world permissions. All other UIDs and GIDs have read permission only.
Similarly, to display ACL settings on a directory, use the getfacl /directory

ACL mask

The ACL mask defines the maximum permissions that can be granted to named users, the group-owner, and named groups. It does not restrict the permissions of the file owner or other users. All files and directories that implement ACLs will have an ACL mask.

Adding or modifying an ACL

ACLs can be set via the command line using -m. setfacl -m
Notice the below changes to file2.txt . Changes have been made for the named user usr01, named user having 1008 UID.
POSIX Access Control Lists 
Now, notice the below changes for named groups user and others.
POSIX Access Control Lists 
We can add multiple entries via the same command, and comma-separate each of the entries,
setfacl -m u::rwx,g:user:rX,o::- file2.txt
POSIX Access Control Lists 
Additionally, the output from getfacl can be used as input to setfacl,
getfacl file-A | setfacl --set-file=- file-B
You can try this on your own.

How to set an explicit ACL mask?

An ACL mask can be explicitly set on a file or directory to limit the maximum effective permissions for named users, the group-owner, and named groups. This restricts any existing permissions that exceed the mask.
setfacl -m m::r file
getfacl will show an “effective” comment. See below.
POSIX Access Control Lists 

Deleting an ACL

ACLs can be deleted via the command line using -x.
setfacl -x u:name,g:name file
This will delete the named user or named group from the list of file/directory ACLs. See below.
POSIX Access Control Lists 
To delete ALL ACLs on a file or directory (including default ACLs on directories), use,
setfacl -b filename
Thank you for reading! Hope you enjoyed it.

Similar Articles