Access Control Lists (ACL) in Linux Explained with Examples: setfacl, getfacl

Why do we need Access Control Lists (ACL) ?

In linux, access to a file or directory is controlled by assigning permission and ownership to a file or directory. Lets say a user named abhi who is admin user and is part of admin group is owning a directory (doc)  and a file inside the directory(/opt/abhi/doc).

[abhi@linux-acl abhi]$ ll
total 4
drwxr-x---. 2 abhi admin 4096 Jul 16 16:39 doc
[abhi@linux-acl doc]$ ls -l doc
total 0
-rw-rw----. 1 abhi admin 0 Jul 16 16:43 credentials
-rw-rw----. 1 abhi admin 0 Jul 16 16:42 installation_manual

In the directory "doc", we have two files named installation_manual and credentials, where only abhi have read and write access and admin group also have read and write access. Now if we want to give some other user (Subna) to have read and write access to the file "installation_manual" as she is a document writer in the company, the easy way is to add subna to the admin group, but the drawback of this approach is the user Subna which is now part of admin group will get access to the credentials file also, which is not required by the user Subna. Inorder to achieve the same without providing unnecessary privileges to other file, we can make use of Access Control Lists (ACL) in Linux.

Access Control Lists (ACL) in Linux: setfacl & getfacl

Now that we understood the need of Access Control Lists (ACL). Lets see how to set an ACL and different types of ACL. To set an ACL we can use setfacl and to view an ACL we can use getfacl. The ACL can be applied to both files and directories in Linux.

setfacl <options> <file/dir>
getfacl <options> <file/dir>

Types of ACL

  • Access ACL: Access ACL is used for providing/controlling access to a file or a directory
  • Default ACL: Default ACL is only applicable for directories. If a directory is created in the directory where ACL is applied, the newly created Directory will by get the ACL rule applied to it by default, same is the case for the file created.

Access ACL: setfacl & getfacl

Command: setfacl

  • From the above scenario explained,  installation_manual doc should access by user Subna for editing,
    • User Subna should have read and execute access to the directory doc for getting access to the file installation manual
    • For editing the installation manual, user Subna should have read and write access to the file
  • setfacl command can be used, below shows the syntax:

setfacl -m u:<username>:<access>,g:<groupname>:<access>,o:<access>  <file/direc>

  • For our usecase, since we need to give read and write access to the file and read and execute access to the directory, only to the user subna, we can use the below command
i]# setfacl -m u:subna:r-x /opt/abhi/doc
i]# setfacl -m u:subna:rw- /opt/abhi/doc/installation_manual
  • Now from the below code snippet, it can be seen the user subna is able to access the installation_manual where as she is not able to access the credentials
[subna@linux-acl doc]$ ls -ld /opt/abhi/doc/
drwxr-x---+ 2 abhi admin 4096 Jul 16 16:43 /opt/abhi/doc/
[subna@linux-acl doc]$ ls -l /opt/abhi/doc/installation_manual 
-rw-rw----+ 1 abhi admin 4 Jul 16 18:07 /opt/abhi/doc/installation_manual
[subna@linux-acl doc]$ ls -l /opt/abhi/doc/credentials 
-rw-r-----. 1 abhi admin 0 Jul 16 16:43 /opt/abhi/doc/credentials
[subna@linux-acl doc]$ cat /opt/abhi/doc/installation_manual
acc
[subna@linux-acl doc]$ cat /opt/abhi/doc/credentials 
cat: /opt/abhi/doc/credentials: Permission denied
[subna@linux-acl doc]$

Command: getfacl

  • getfacl command can be used for checking the acls applied to a directory or file
[root@linux-acl ~]# getfacl /opt/abhi/doc/installation_manual 
getfacl: Removing leading '/' from absolute path names
# file: opt/abhi/doc/installation_manual
# owner: abhi
# group: admin
user::rw-
user:subna:rw-
group::r--
mask::rw-
other::---
  • From the above code snippet, it can be seen that the orginal owner and group of the file is abhi and admin, but user subna is having read and write access to the file, and we are seeing a term mask, which is explained in details later in this article
  • If there are no acl applied to a file or directory, the default permission and ownership can be seen. and mask also will not be seen
[root@linux-acl ~]# ls -ld /opt
drwxr-xr-x. 5 root root 4096 Jul 16 13:15 /opt
[root@linux-acl ~]# getfacl /opt
getfacl: Removing leading '/' from absolute path names
# file: opt
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Default ACL

  • Default ACL is only applicable to Directories
  • Default ACL is almost similar to Access ACL, but with two key differences
    • With Default ACL set in a directory, the directory and files which gets created inside the directory will by default inherit the ACL.
    • The command used for setting default ACL (setfacl) expects an argument 'd'
  • When a new directory is getting created inside a directory which have default ACL applied to it, the newly created directory (new) will have both access and default ACL from its parent directory (art)  ACL, which can be seen in the below code snippets

Step 1: Set default ACL to directory (user and group access)

setfacl -m d:u:<username>:<access>,d:g:<groupname>:<access>,d:o:<access>  <file/direc>

setfacl -m d:u:abhi:rw-,d:g:docker:r-x art

Step 2: view the ACL applied to the directory

[root@linux-acl abhi]# ls -ld art
drwxr-xr-x+ 2 root root 4096 Jul 16 20:10 art
[root@linux-acl abhi]# getfacl art
# file: art
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:abhi:rw-
default:group::r-x
default:group:docker:r-x
default:mask::rwx
default:other::r-x

Step 3: Create a directory inside the directory where default ACL is given and view the ACL of the newly created directory

[root@linux-acl abhi]# cd art
[root@linux-acl art]# mkdir new
[root@linux-acl art]# getfacl new
# file: new
# owner: root
# group: root
user::rwx
user:abhi:rw-
group::r-x
group:docker:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:abhi:rw-
default:group::r-x
default:group:docker:r-x
default:mask::rwx
default:other::r-x
  • It can be seen that the default ACL of the parent directory  got applied to the Access and Default ACL of the newly created directory

Step 4: Create a file inside the parent directory (art)

[root@linux-acl art]# touch check_file
[root@linux-acl art]# getfacl check_file
# file: check_file
# owner: root
# group: root
user::rw-
user:abhi:rw-
group::r-x #effective:r--
group:docker:r-x #effective:r--
mask::rw-
other::r--

Observation:

  • In case of the newly created file, as mentioned the access ACL will be obtained from the default ACL of the parent directory
  • The default ACL for user for directory is rwx, and mask is rwx but when it got transferred to file access ACL, only rw will be transferred. This is default expected behavior of ACL in linux
  • Term effective  is the effective permission of the group or user because of the mask ; mask is the highest privilege, a user or group can get for access the mentioned file or directory
  • It can be seen that the group was having r-x , but since the mask only have rw, the executable permission become ineffective for the group

What is Mask in ACL ?

Mask is the maximum permission allowed for a particular file or directory. It overrides the permission set for the users and groups in the acl.

 

Remove ACL from file/directory

  • Remove all acl (access +default ) from file /directory

setfacl -b <file/dir>

  • Remove a particular group/user from file acl (access & default)

setfacl -x user:<username>,group:<groupname> <file/dir>
setfacl -x d:user:<username>,d:group:<groupname> <dir>

 setfacl -x user:abhi sample_file 
 setfacl -x d:group:docker asci_dir
  • Remove only  default ACL from directory (access acl remains unchanged)

 setfacl -k <dir>

setfacl -k asci_dir

Readmore:

Search on LinuxDataHub

Leave a Comment