Access Control List also known as ACLs. ACLs allow more fine-grained access rights for files and directories than specified by regular ugo/rwx permission. In Linux every file has a owner/group and set of permissions. Suppose in case when multiple users need access to the same file and the users are from different groups. The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file.
The standard ugo/rwx permissions does not allow to set different permissions for different individual users or groups. With ACLs this is relatively easy to do.
In this article I will show you how to set ACLc in Linux/UNIX system.
Check The File System Support ACLs
First of all make sure that your file systems are currently supporting ACLs, You can check that they have mounted with the acl option. Use tune2fs command to do this. Follow the below command to check file system support ACLs.
# tune2fs ‐l /dev/sda1 | grep "Default mount options:" Default mount options: user_xattr acl
If above command says that your file system does not support ACLs, In most cases due to the noacl option being present in /etc/fstab.
In this case, remove noacl option and unmount the file system then mount it again. You can also reboot your system make apply changes to /etc/fstab
Recent distro have ACL mount option included by default (since kernel 2.6). So it’s not mandatory to redefine it in /etc/fstab (or similar). Non exhaustive list of filesystems concerned: ext3, ext4, tmpfs, xfs and zfs .
If you have older setup then you may have to recompile the kernel and/or add acl in
/etc/fstab. fstab example: /dev/root / ext4 acl,errors=remount-ro 0 1
For existing ACLs setting use below command.
# mount | grep -i acl
To complete this tutorial I am going to create a group named “web” and users name “neo” and “paul“.
# groupadd web # useradd neo # useradd paul
Add the users in web group.
# usermod -a -G web neo # usermod -a -G web paul
Now for testing purpose create a file in /tmp directory.
# touch /tmp/test.txt # chgrp /tmp/test.txt # chmod 770 /tmp/test.txt
As above command neo or paul can write in /tmp/test.txt file. For example:
# su - neo $ echo " Neo is a hero of Matrix movie" > /tmp/test.txt $ exit # su - paul $ echo "Paul is player of Taken3 game" > /tmp/test.txt $ exit
Set ACLs in Linux
There are two types of ACLs:
1. Access ACLs are (which are applied to a file or directory), and
2. Default (optional) ACLs, which can only be applied to a directory.
If files inside a directory where a default ACL has been set do not have a ACL of their own, they inherit the default ACL of their parent directory.
Now create a new user named sagar and give read and write access to /tmp/test.txt file. First check the current ACL setting using below command.
# getfacl /tmp/test.txt # file: /tmp/test.txt # owner: root # group: web user::rwx group::rwx other::---
Next, change the ACLs on the file, use u: followed by the username and :rw to indicate read / write permissions:
# setfacl -m u:sagar:rw /tmp/test.txt
Now run getfacl command gain to compare result.
# getfacl /tmp/test.txt # file: /tmp/test.txt # owner: root # group: web user::rwx user:sagar:rw- group::rwx other::---
As now you can see user sagar is able to write to the file.
# su - sagar $ echo "My name is sagar" >> /tmp/test.txt
Lets set a default ACL to a directory using d: option during setfacl command.
# mkdir /tmp/test # touch /tmp/test/test.txt #getfacl /tmp/test # file: tmp/test # owner: root # group: web user::rwx group::rwx other::---
# setfacl -m d:o:r /tmp/test # getfacl /tmp/test # file: tmp/test # owner: root # group: web user::rwx group::rwx other::--- default :user::rwx default :group::rwx default :other::r---
Above ACL will allow users not in the owner group to have read access to the future contents of the /tmp/test directory. Note the difference in the output of getfacl /tmp/test before and after setting acl.
Now lets remove ACLs, to remove ACLs replace –m in the command above with –x. As shown below.
# setfacl -x d:o /tmp/test
You can also use the –b option as shown below.
# setfacl -b /tmp/test
Some time the backup software may not copy the metadata related to the FACL on the files. In that case you may want to backup the FACL information on the files. Now, the FACL on all the files in a directory (including all sub directories) can be copied in a single file.
# cd /tmp/test # getfacl -R * > test-bkp_facl
–R is used for recursive
Restore ACLs From Backup File
Follow the below command to restore the ACLs backup file.
# setfacl --restore=test-bkp_facl