An Introduction To Access Control Lists (ACL)

What Is Access Control List (ACL)

Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems. ACLs allow you to provide different levels of access to files and folders for different users. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.

Prerequisites

Verify your Filesystem options

Before using ACL’s we must first verify that our filesystem has the ACL option enabled or Disable.

A common way to enable ACL support on a filesystem is to add the ACL option to a filesystems mount options in /etc/fstab. We can check if that has been done on this system by using the mount command. Now open the Terminal (Ctrl+Alt+T) and write the following command.

sudo su
mount | grep root
/dev/mapper/workstation-root on / type ext4 (rw,errors=remount-ro)

In this case the ACL option has not been added but that doesn’t mean our filesystem doesn’t have acl’s enabled. On most distributions the default filesystems have the ACL option as part of the default mount options.

Now you can check if your filesystems have ACL as part of the defaults by using the tune2fs command.

tune2fs -l /dev/mapper/workstation-root

Default mount options: user_xattr acl

As you can see on my test system the default mount options contain acl, in this case my filesystem will support acl’s even if I don’t specify it during the mount process. If your filesystem does not have acl as a default mount option, than you can add it during the mount process easily by editing the fstab file.

sudo mcedit /etc/fstab

Simply add the term acl to the mount options as shown below.

Before:

 /dev/mapper/workstation-root / ext4 errors=remount-ro 0 1

After:

 /dev/mapper/workstation-root / ext4 acl,errors=remount-ro 0 1

Once your fstab file is edited you can remount your filesystem with the mount command.

mount -o remount /
mount | grep root
/dev/mapper/workstation-root on / type ext4 (rw,acl,errors=remount-ro)

ACL Utilities

Now that your filesystem supports acl’s we must make sure that you have the acl utilities installed. My test machine is an Ubuntu server install so I will use the dpkg command.

dpkg --list | grep acl
 ii libacl1 2.2.51-5ubuntu1 Access control list shared library

Install ACL

sudo apt-get install acl

Now we check again, and it is installed.

dpkg --list | grep acl
 ii acl 2.2.51-5ubuntu1 Access control list utilities
 ii libacl1 2.2.51-5ubuntu1 Access control list shared library

Setting and Configure ACL’s with getfacl and setfacl command

Now that we have the utilities installed we can start using the setfacl and getfacl commands.

Setting ACL’s with setfacl

Now go to directory

cd /var/tmp/
ls -la | grep appdir
drwxrwxr-x 2 root appgroup 4096 May 27 10:45 appdir

To add these permissions we will use the setfacl command

setfacl -m g:testusers:r appdir/

Let’s break the command down a little bit.

-m

The -m option tells setfacl to modify the acl list for the specified directory.

g:testusers:r

This is actually the access control list that is being set. The first column is specifying g for group, the second column is the group name that I want the permissions to be set for and the last column is the permissions I want that group to have. In this case the read permission.

appdir/

This is the directory that I am setting the permissions on.

Checking the ACL list with getfacl

Once you’ve set the acl with setfacl it is common sense to check if it took effect, in order to do so you will need to use the getfacl command.

getfacl appdir/

Output

# file: appdir/
# owner: root 
# group: appgroup
user::rwx 
group::rwx
group:testusers:r--
mask::rwx
other::r-x

The output of getfacl is pretty self explanatory, you can see the rule that we added below the standard group entry.

Examples of Usages ACL

  • Removing all ACL entries from a file or directory
  • Set test users to have read access to all files in a directory
  • Set the same ACL changes recursively
  • Set the same ACL on all newly created files automatically
  • Set testuser1 to have read, write and execute access to the appuser1 directory
  • Set all users to have read, write and execute access to the shared directory
  • Remove the ACL for testuser1 on appuser1 directory

 Removing all acl entries from a file or directory

Before we start messing with ACL’s in my directory I want to clear out all of the acl’s it previously had. Doing this one by one can be a bit of a pain, its a good thing the setfacl command gives you the ability to remove all acl’s on a specified file or directory. This can be accomplished using the -b option of setfacl.

setfacl -b appdir/
getfacl appdir

Set testusers to have read access to all files in the appdir directory

This is a pretty basic acl, we want the testusers group to have read access to all files in the appdir directory.

setfacl -m g:testusers:r appdir/
getfacl appdir

Set testuser1 to have read, write and execute access to the appuser1 directory

While the user testuser1 is in the testusers group and has read access to the appuser1 directory he does not have write access. In this case we want to give him write access without giving the rest of the testusers write access. This can be done using acl’s by specifying a specific user rather than a group.

setfacl -m u:testuser1:rwx appdir/
getfacl appdir/

The user testuser1 can now create files in the appdir1 directory.

sudo -u testuser1 touch appdir/file2
ls -la appdir/file2
-rw-rw-r--+ 1 testuser1 testusers 0 May 27 12:17 appdir/file2

Set all users to have read, write and execute to the shared directory

We have now given users and groups permissions on directories and files, but what happens when we want all users to have access to a directory? Adding every users name or group could get tedious, in this case we can set the “other” or “world” permissions so that all users on a system can access this directory.

setfacl -m o::rwx shared
getfacl shared/

Another Method Setting ACL

Setting ACL With Example

To modify ACL use setfacl command. To add permissions use setfacl -m.

Add permissions to some user:

setfacl -m "u:username:permissions"

or

setfacl -m "u:uid:permissions"

Add permissions to some group:

setfacl -m "g:groupname:permissions"

or

setfacl -m "g:gid:permissions"

Remove all permissions:

setfacl -b

Remove each entry:

setfacl -x "entry"

To check permissions use:

getfacl filename

Examples

Set all permissions for user johor to file named “abc”:

setfacl -m "u:johor:rwx" abc

Check permissions

getfacl abc

Output

# file: abc
# owner: someone
# group: someone
user::rw-
user:johor:rwx
group::r-- mask::rwx
other::r--

Change permissions for user johor:

setfacl -m "u:johor:r-x" abc

Check permissions

getfacl abc

Output

# file: abc
# owner: someone
# group: someone
user::rw-
user:johor:r-x
group::r--
mask::r-x
other::r--

Remove all extended ACL entries:

setfacl -b abc

Check permissions

getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Enjoy!