The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.
How to know when a file has ACL attached to it
ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.
# ls -l -rw-r--r-+ 1 root root 0 Sep 19 14:41 file
To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::
# getfacl /tmp/test # file: test # owner: root # group: root user::rw- user:john:rw- user:sam:rwx group::r-- mask::rwx other:---
In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :
# getfacl test # file: test # owner: root # group: root user::rw- group::r-- other::r--
Creating and Managing FACLs
The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :
# setfacl -m u:john:rw /tmp/test
The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :
# setfacl -m g:accounts:rw /tmp/test
FACLs for multiple user and groups can also be set with single command :
# setfacl -m u:john:rw,g:accounts:rwx /tmp/test
By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.
To create a default FACL on a directory :
# setfacl -m default:u:john:rw /accounts
Notice the default permissions in the getfacl command :
# getfacl accounts/ # file: accounts/ # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:john:rw- default:group::r-x default:mask::rwx default:other::r-x
To remove ACLs, use the setfacl command with -x option :
# setfacl -x u:john /tmp/test
The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :
# setfacl -b /tmp/test