Setting up Access Control Lists (ACL) on Linux

Access Control Lists, Access Control Lists in linux, How to configure Access Control Lists (ACLs) on Linux, Setting up ACL in linux, ACL linux tutorial

How to configure Access Control Lists (ACLs) on Linux
In this article, We help you to understand the Access Control List in LINUX.

Why do we need ACL?

  1. Default (Traditional) file permissions in Linux have some limitation.
  2. Default permissions can be set only for one owner, one group and Other users. So different permissions cannot be configured for different users and groups. Thus, Access Control Lists (ACL) were implemented.

For example, let us assume that owner of the file is "user1" and group of the file is "dba". You are asked to give access to the user2 also without changing the ownership.?
We cant give the full access to others area, which is not recommened due to security reason. the other options would be bringing the user2 into dba group, if so other member from the dba group also will have the same permission.

To overcome this situation, we implement the Access control lists (ACL) in LINUX.


ACL can be used as an extension of the traditional file permission concept. They allow to provide the permissions to individual users or groups.

Access control lists are a feature of the Linux kernel and are currently supported by ReiserFS, Ext2, Ext3, JFS, and XFS filesystems. Older linux kernel version required enabling ACL feature while mounting the filesystem. Nowadays it is not required.

Managing or accessing the ACL in LINUX?

With "getfacl" and "setfacl" on the command line, we can manage the ACL in Linux. The usage of these commands is demonstrated in the following examples.

Viewing or checking the existing ACL permission:

With "getfacl", we can view the existing ACL permission of a file or directory. The syntax of the command is,
getfacl myfolder1
where myfolder1 is the directory name.
Above command will give you the information like below,
# file: myfolder1
# owner: user1
# group: dba
The first three output lines display the name, owner, and owning group of the directory. The next three lines contain the three ACL entries owner, owning group, and other. Here there is no additional ACL permissions are set.

Setting up the Access Control Lists (ACL):

To modify ACL, use "setfacl" command. To add permissions use "setfacl -m".

Add permissions to some user:
# setfacl -m "u:username:permissions"
# setfacl -m "u:uid:permissions"
setfacl -m u:user1:r-x mydata
Add permissions to some group:
# setfacl -m "g:groupname:permissions"
# setfacl -m "g:gid:permissions"
setfacl -m g:sales:r--"
Remove all extended ACL permissions:
# setfacl -b myfolder
The above command will delete all extended ACL permissions and will keep only default file permissions.

Remove each entry:
# setfacl -x "entry"
setfacl -x u:user1 mydata
Lets take an example for clear understanding, Modify the permissions with ACL to assign read, write, and execute permissions to an additional user "user2" and an additional group "admin".

Add permissions to user "user2" and group "admin":
# setfacl -m "u:user2:rwx,g:admin:rwx" myfolder1
Check the permission:
getfacl myfolder1
# file: myfolder1
# owner: user1
# group: dba
In addition to this entries, a mask entry has been generated. It was initiated for the user "user2" and the group "admin". This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.

To identify whether the ACL permission is set or not?
Use "ls -l" command to easily.
drwxrwx---+ ... user1 dba ... myfolder1
The first column of the output contains an additional "+" to indicate that there is an extended ACL for this item. If set, then use "getfacl" command to see more about it.

According to the output of the ls command, the permissions for the mask entry include write access. But Traditionally, such permission bits set means the owning group "dba" also has write access to the directory myfolder1. But actual permission for "dba" is "r-x" which is overlapping the permissions  with the other group "admin".

As far as the effective permissions of the owning group in this example are concerned, nothing has changed even after the addition of the ACL entries.

Edit the mask entry with setfacl or chmod. For example, use chmod g-w mydir. ls -dl myfolder1 then shows:
drwxr-x---+ ... user1 dba ... myfolder1
getfacl myfolder1 provides the following output:
# file: myfolder1
# owner: tuser1
# group: dba
user:user2:rwx          # effective: r-x
group:admin:rwx       # effective: r-x
After executing the chmod command to remove the write permission from the group class bits, the output of the ls command is sufficient to see that the mask bits must have changed accordingly, write permission is again limited to the owner of myfolder1. The output of the getfacl confirms this. This output includes a comment for all those entries in which the effective permission bits do not correspond to the original permissions, because they are filtered according to the mask entry. The original permissions can be restored at any time with chmod g+w myfolder1.

That's all about Setting up Access Control Lists (ACL) on Linux.

Thanks for reading our post. share with your friends. We appreciate your feedback, Leave your comments if any.

We have more articles to be updated soon. To not miss any updates, Follow us on social networking sites and Subscribe us on our Youtube channel.

Searching Keywords : Access Control Lists, Access Control Lists in linux, How to configure Access Control Lists (ACLs) on Linux, Setting up ACL in linux, ACL linux tutorial, what is acl in linux, Linux ACL Example, using acl, sefacl linux commands, linux setfacl getfacl acl example, linux getfacl setfacl example, how to use setfacl and getfacl, Linux ACL Example, Linux setfacl command, Linux getfacl command, linux acl permissions, linux acl mask, working with access control lists, setting up filesystem acl
December 13, 2015

Post a Comment


Contact Form


Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget