ACL Mask Value in Linux: Explained with Examples (Access Control Lists Mask)

ACL provides much more flexibility in setting up accessibility to a file or directory. Before you go through this article, it is assumed that you have basic knowledge on Linux ACL.

What is Masks in ACL

Masks are the highest/maximum permission allowed for a user/group. It overrides the permission setup by normal acl entries for a file/directories.

  • When we do getfacl, we will seeing the mask and the effective permission caused by the mask.
  • From the below code snippet, it can be seen that even though the group docker have r-x permission to the file check_file, but because of the mask rw-, the effective permission will be reduced to r--
[root@linux-acl art]# touch check_file
[root@linux-acl art]# getfacl check_file
# file: check_file
# owner: root
# group: root
user::rw-
user:abhi:rw-
group::r-x #effective:r--
group:docker:r-x #effective:r--
mask::rw-
other::r--
  • When an acl is set to a file or directory, a mask will get assigned automatically to the directory/file

How mask get its permission ?

  • mask takes the union of the permission given to users and groups. See below two example to get more insights

Example 1

  • Directory abhi is having read permisison (r- - r - - - - - ) for user and group
  • Assigning an acl for user abhi with read and write permission (rw-)
  • Mask will be read and write(rw),  the union of (r - -,r - -)&(rw-)
[root@linux-acl tmp]# mkdir abhi
#assigning r-- r--
[root@linux-acl tmp]# chmod 440 abhi
#assigning rw- via acl for user
[root@linux-acl tmp]# setfacl -m u:abhi:rw- abhi
# union of r--,r-- & rw- is rw-; so mask will rw-
[root@linux-acl tmp]# getfacl abhi
# file: abhi
# owner: root
# group: root
user::r--
user:abhi:rw-
group::r--
mask::rw-
other::---

Example 2

  • Directory axe is having read and execute permisison (r-xr-x- - -) for user and group
  • Assigning an acl for group docker with read and write permission (rw-)
  • Mask will be read, write and execute (rwx), the union of (r-x,r-x)&(rw-)
[root@linux-acl tmp]# mkdir axe
[root@linux-acl tmp]# ls -dl axe
drwxr-xr-x. 2 root root 4096 Jul 16 21:35 axe
#assigning r-x,r-x
[root@linux-acl tmp]# chmod 550 axe
#assigning rw- via acl for group
[root@linux-acl tmp]# setfacl -m g:docker:rw- axe
#union of r-x,r-x & rw- is rwx; so mask will be rwx
[root@linux-acl tmp]# getfacl axe
# file: axe
# owner: root
# group: root
user::r-x
group::r-x
group:docker:rw-
mask::rwx
other::---

Example 3

  • Directory key is having read  permisison for user and read write for group (r- -,rw- - - -)
  • Assigning an acl for user abhi with read  (r- -)
  • Mask will be read, write (rw-), the union of (r--,rw-)&(r-)
[root@Linux-Data-Hub tmp]# mkdir key
#assigning r--,rw-
[root@Linux-Data-Hub tmp]# chmod 460 key
#assigning r-- via acl for user
[root@Linux-Data-Hub tmp]# setfacl -m u:abhi:r key
#union of r--,rw- & r-- is rw-; so mask will be rw-
[root@Linux-Data-Hub tmp]# getfacl key
# file: key
# owner: root
# group: root
user::r--
user:abhi:r--
group::rw-
mask::rw-
other::---

Mask during default acl

  • Default acl is applied to directory, so that new directories and files created in the directory will automatically get an acl applied to it.
  • In case of directory the default acl will be applied to both default and access acl
  • Mask also will be same as the mask in the default acl of the parent directory
  • In case of file, the default acl of the parent directory will be applied as access acl of the file. But as we have seen in acl behavior, if the default acl is having execute access for user. It will not be transferred to the newly created file. Same is the case for mask also
  • Below example shows all these behavior

Example:

  • directory black-box is having read access for user and group (r- - ,r- - )
  • ACL for user abhi with read and write access is given (rw-)
  • Default ACL for group docker with read and execute (r-x)is given
  • For access ACL , the mask will be rw-, since union of (r- -,r- -) & (rw-) is (rw-)
  • For Default ACL, the mask will be r-x, since union of (r- -,r- -) & (r-x) is (r-x)
[root@Linux-Data-Hub tmp]# mkdir black-box
#assigning r--,r--
[root@Linux-Data-Hub tmp]# chmod 440 black-box/
#assigning rw- via access acl for user
[root@Linux-Data-Hub tmp]# setfacl -m u:abhi:rw- black-box/
#assigning r-x via default acl for group 
[root@Linux-Data-Hub tmp]# setfacl -m d:g:docker:r-x black-box/
# See cmd output in line for explanation
[root@Linux-Data-Hub tmp]# getfacl black-box/
# file: black-box/
# owner: root
# group: root
user::r--
user:abhi:rw-
group::r--
#union of r--,r-- & rw- is rw-; so mask will be rw-
mask::rw-
other::---
default:user::r--
default:group::r--
default:group:docker:r-x
#union of r--,r-- & r-x is r-x; so mask will be r-x
default:mask::r-x
default:other::---

Example (Contd)

  • Create a directory inside the parent directory where default acl is present
  • It can be seen that the default acl including mask from the parent directory  will be transferred to the newly created directory (access and default)
  • Create a file inside the parent directory where default acl is present
  • It can be seen that the default acl including mask from the parent directory will be transferred to the newly created file. But the execute permission of the mask and the user will not be transferred.
  • Below example shows the same
[root@Linux-Data-Hub tmp]# getfacl black-box/
# file: black-box/
# owner: root
# group: root
user::r--
user:abhi:rw-
group::r--
mask::rw-
other::---
default:user::r--
default:group::r--
default:group:docker:r-x
default:mask::r-x
default:other::---
[root@Linux-Data-Hub tmp]# cd black-box/
[root@Linux-Data-Hub black-box]# mkdir teams
#default ACL (including mask) is transferred to the new directory
[root@Linux-Data-Hub black-box]# getfacl teams
# file: teams
# owner: root
# group: root
user::r--
group::r--
group:docker:r-x
mask::r-x
other::---
default:user::r--
default:group::r--
default:group:docker:r-x
default:mask::r-x
default:other::---

[root@Linux-Data-Hub black-box]# touch notepad
# Default ACL (including mask) is transferred. But the execute permission of the mask will not be transferred from the default acl
[root@Linux-Data-Hub black-box]# getfacl notepad
# file: notepad
# owner: root
# group: root
user::r--
group::r--
group:docker:r-x #effective:r--
mask::r--
other::---

Change ACL mask

  • ACL mask can be changed using 2 ways
    • Using chmod and setting permission to group
    • Using setfacl

Using chmod

  • When permission of the group for a file or directory is changed, it directly changes the mask .
[root@linux-acl tmp]# chmod 760 abhi
[root@linux-acl tmp]# getfacl abhi
# file: abhi
# owner: root
# group: root
user::rwx
user:abhi:rw-
group::r--
mask::rw-
other::---

[root@linux-acl tmp]# chmod 740 abhi
[root@linux-acl tmp]# getfacl abhi
# file: abhi
# owner: root
# group: root
user::rwx
user:abhi:rw- #effective:r--
group::r--
mask::r--
other::---

[root@linux-acl tmp]# chmod 700 abhi
[root@linux-acl tmp]# getfacl abhi
# file: abhi
# owner: root
# group: root
user::rwx
user:abhi:rw- #effective:---
group::r-- #effective:---
mask::---
other::---

Using setfacl

  • mask can be overridden by setfacl command

setfacl -m m::<perm> <file/dire>

[root@linux-acl tmp]# setfacl -m m::r-x abhi
[root@linux-acl tmp]# getfacl abhi
# file: abhi
# owner: root
# group: root
user::rwx
user:abhi:rw- #effective:r--
group::r--
mask::r-x
other::---

Readmore:

Search on LinuxDataHub

Leave a Comment