The Geek Diary

How to Configure ACL(Access Control Lists) in Linux FileSystem

by

Traditional Linux access permissions for files and directories consist of setting a combination of read, write, and execute permissions for the owner of the file or directory, a member of the group the file or directory is associated with, and everyone else (other). Access control lists (ACLs) provide a finer-grained access control mechanism than these traditional Linux access permissions.

Installing ACL

Before using ACLs for a file or directory, install the acl package: 

# yum install acl

Configuring ACL on a file system

The file system containing the file or directory must also be mounted with ACL support. The following is the syntax to mount a local ext3 file system with ACL support:

# mount -t ext3 -o acl [device-name] [mount-point]

For example:

# mount -t ext3 -o acl /dev/mapper/VolGroup00-LogVol00 /data

If the partition is listed in the /etc/fstab file, include the acl option:

# vi /etc/fstab
LABEL=/data    /data    ext3    acl     0    0

ACL Rules

An ACL consists of a set of rules that specify how a user or group can access the file or directory the ACL is associated with. There are two types of ACL rules:

  1. access ACLs: Specify access information for a single file or directory
  2. default ACLs: Pertain to a directory only. It specifies default access information for any file within the directory that does not have an access ACL.

Display ACLs on files

Use the getfacl utility to display a file’s ACL. When a file does not have an ACL, it displays the same information as ‘ls –l’, although in a different format. For example, the file test does not have an ACL:

# ls –l test
-rw-rw-r-- 1 oracle oracle 25 Mar 5 10:10 test

Sample getfacl output of the test file:

# getfacl test 
# file: test
# owner: oracle 
# group: oracle 
user::rw- 
group::rw- 
other::r--

Configuring ACLs on Files

Use the setfacl utility to add or modify one or more rules in a file’s ACL. The syntax is: 

# setfacl -m [rules] [files]

The rules are in the following form:

  • u:name:permissions: Sets the access ACL for a user (username or UID)
  • g:name:permissions: Sets the access ACL for the group (group name or GID)
  • m:permissions: Sets the effective rights mask. This is the union of all permissions of the owning group and all of the user and group entries.
  • o:permissions: Sets the access ACL for everyone else (others)

The permissions are the traditional r, w, and x for read, write, and execute, respectively. The following example adds a rule to the ACL for the test file that gives the oracle user read and write permission to that file:

# setfacl -m u:oracle:rwx test

The output of getfacl includes the ACL rule:

# getfacl test 
# file: test
# owner: oracle 
# group: oracle 
user::rw- 
user:oracle:rwx 
group::rw- 
mask::rwx 
other::r--

When a file has an ACL, ‘ls –l’ displays a plus sign (+) following the permissions: 

# ls –l test
-rw-rwxr--+ 1 oracle oracle 25 Mar 5 10:10 test

Removing ACLs of Files

Use the –x option without specifying any permissions to remove rules for a user or group. 

# setfacl –x u:oracle test

To remove the ACL itself, use the -b option: 

# setfacl –b test

Setting the Default ACLs

To set a default ACL, add d: before the rule and specify a directory instead of a file name: 

# setfacl -m d:o:rx /share
UNIX/Linux : Access control lists (ACLs) basics

You May Also Like