Access Control Lists (ACLs) provide a more flexible permission mechanism for file systems compared to traditional Unix file permissions. They allow you to set permissions for individual users or groups beyond the standard owner/group/others model. This makes ACLs particularly useful in environments where you need fine-grained access control. In this article, we’ll explore the basics of using Linux ACLs to set default and user/group rules.
What are ACLs?
ACLs are a list of permissions attached to an object (like a file or directory) that specify which users or system processes are granted access to that object, as well as what operations are allowed on the object. ACLs can specify permissions for:
- Individual users
- Individual groups
- Default permissions for new files and directories created within a directory
Prerequisites
Before you start using ACLs, ensure that your file system supports them. Most modern file systems like ext4, XFS, and Btrfs support ACLs. You can check if your mounted file system has ACL support with the following command:
mount | grep acl
If you don’t see the acl option, you can remount the file system with ACL support:
sudo mount -o remount,acl /dev/sdX /mount/point
Alternatively, add the acl option to your /etc/fstab to make it persistent across reboots.
Basic ACL commands
Viewing ACLs
To view the current ACLs on a file or directory, use the getfacl command:
getfacl filename
This will show the standard permissions and any ACLs set on the file.
Setting ACLs
You can set ACLs using the setfacl command. The basic syntax is:
setfacl -m u:username:permissions filename
-mindicates modify.u:username:permissionssets the permissions for the specified user.
For example, to give read and write permissions to a user named john:
setfacl -m u:john:rw filename
Removing ACLs
To remove a specific ACL entry:
setfacl -x u:username filename
To remove all ACL entries and revert to the standard permission model:
setfacl -b filename
Setting default ACLs
Default ACLs are templates for permissions that are applied to new files and directories created within a directory. This is particularly useful in collaborative environments.
To set a default ACL, use the -d flag:
setfacl -d -m u:john:rwx directoryname
This command sets the default ACL for user john with read, write, and execute permissions on directoryname.
Example: Collaborative directory
Suppose you have a directory /shared and you want all files created within it to be accessible by user alice and group developers.
- Set the ACL for user
alice:
setfacl -m u:alice:rwx /shared
- Set the ACL for the group
developers:
setfacl -m g:developers:rwx /shared
- Set default ACLs so new files and directories inherit these permissions:
setfacl -d -m u:alice:rwx /shared
setfacl -d -m g:developers:rwx /shared
Verifying ACLs
You can verify the ACLs with getfacl:
getfacl /shared
This command will display both the effective and default ACLs set on the directory.
ACLs provide a powerful way to manage permissions on a Linux system, offering flexibility beyond traditional Unix permissions. By understanding how to view, set, and manage ACLs, you can create a more secure and efficient file permission setup for your specific needs.
Whether you are setting permissions for individual users, groups, or establishing default permissions for collaborative directories, ACLs can significantly enhance your control over file system access. Start exploring ACLs on your system to see how they can improve your permission management.
Tom's IT Cafe 