What is ACL?
POSIX Access Control List (ACL) is a Linux feature that allows different permissions for different users or different groups, even if they do not match the original owner or the owner group of that file or directory. Actually, with ACL we can add more granular permissions that go over the well-known ugo/rwx controls.
For example, John created a file. He does not allow anyone in the group to access the file, except for another user, called Ben (even if there are other users belonging to the John group). This means that, in addition to the permissions of that file (rwx for owner, group, others), other users and groups may have access allowed or refused by using POSIX ACL.
The command to learn more about ACL:
man acl
ACL is enabled by default on modern Linux distributions (starting with kernel 2.6), so it is no longer required to define it in the /etc/fstab file. An example of defining ACL in /etc/fstab:
/dev/root / ext4 acl,errors=remount-ro 0 1
How do we find out if the file system used has ACL enabled?
Let’s suppose that you want to convince yourself that your distribution or the file system you are working with has ACL enabled – the usual configuration is on /boot. We have 2 possibilities:
a. cat /boot/config* | grep _ACL
At the exit we will have:
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL =y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
[…]
b. We use the tune2fs utility (usually it is preinstalled on most distributions):
# tune2fs -l /dev/sdXY | grep “Default mount options:”
Example below:
[root@mvps ~]#
[root@mvps ~]# tune2fs -l /dev/sdb1 | grep “Default mount options:”
Default mount options: user_xattr acl
[root@mvps ~]#
[root@mvps ~]#
[root@mvps ~]# tune2fs -l /dev/sda9 | grep “Default mount options:”
Default mount options: user_xattr acl
[root@mvps ~]#
Enabling ACL for a partition /file system using the tune2fs utility:
#tune2fs -o acl /dev/sdXY
Types of ACLs
There are two types of ACL: access ACL and default ACL:
• access ACL is used to assign permissions to a specific file or directory;
• default ACL is used only in directories, and if a file inside this directory does not have ACL set up, it will inherit the default ACL permissions assigned to the directory that contains it.
Commands
There are two commands that we will use: one to see the ACL settings (getfacl), and the other one to change the ACL settings of a Linux file or directory (setfacl):
# whatis getfacl
getfacl (1) – get file access control lists # whatis setfacl
setfacl (1) – set file access control lists
ACL will use the known standard permissions for user, group, others – read, write, execute (ugo/rwx) and use them as a starting point, then apply custom exceptions over them.
A good idea is to keep for the future the values in the table below, values that allow us to assign or change ACL values using the setfacl command: