Access control list (ACL) provides an additional, more flexible permission mechanism for linux file system. Standard linux file permissions can only be used by single owner or a single designated group of people.
ACL provides different functions to manage user permissions affectively at granular level. Let's understand linux file permissions first.
Let say that we have a linux server where we created a group called developers this group has following users assigned to it.
- sandip
- john
- brad
User sandip logs into linux server and creats a file called test.txt file with following file permissions:
Looking at current file permissions all users can read write and execute this file.
Imagine that brad from developers group is a bad guy and we want to prevent him accessing this file at all. We want to set no permissions for this specific user. How do we do this?
Using chmod command you can not set permissions for each users or prevent specific user or users within a group therefore ACL comes in play,
Using ACL you can define granular permissions. WIth ACLs, you can grant permissions to multiple users and groups, identified by user name, group name, UID, or GID.
What is getfacl command in linux?
To manage ACL first command that you need to learn is getfacl this command will show you ACL info for given file or directory.
In our example let's look at the ACL info for our test.txt file created by sandip user.
getfacl command gives you following crucial information about file or folder:
- name of the file
- name of the file owner
- name of the group who can access this file
- user, group and other permissions
What is setfacl command in linux?
setfacl command is used to set ACL in linux file system. Before using this command, acl has to be enabled on a file system, else you will get Operation not supported error.
Let say that we in our example currently all user have access to this test.txt file however we want to prevent brad user from developers group to have any access to this file.
Using setfacl command we will remove all access from brad user to test,txt file:
# remove all permissions for brad user for test.txt file setfacl -m u:brad:- test.txt
once you issue above command we will check the file info again using getfacl test.txt command:
Now, you can see that a new entry user:brad:--- is added onto existing output which indicates that this file has now acl set for brad user.
--- meaning no permissions at all therefore now user brad will not be able to read, write or execute this file.
You will say that now brad user can not access this file right? Well you are wrong even though brad user has no permission if you look at a new column added in above output called mask:
mask:rwx
This line says that user can still have rwx permissions so basically user level permission is overwritten by mask settings.
The mask associated with an ACL limits the set of permissions that can be assigned on the file for the named groups and users and for the group owner, but hs no effect on the permissions for the file owner and the other permission group.
Mask overrides the settings for user and group.
Followings are some important commands to set ACLs for group and users:
| Command | Summary |
|---|---|
| setfacl -m "u:user:permissions" /path/to/file | To add acl for user |
| setfacl -m "g:group:permissions" /path/to/file | To add acl for group |
| setfacl -b path/to/file | Remove all acl for the file |
| setfacl -m u:patel:r file | Grant user patel read access to file file. |
| setfacl -m m::rx file | Revoke write access from all groups and all named users |
| setfacl -x g:staff file | Remove the group entry for the group staff |
| getfacl file1 | setfacl --set-file=- file2 | Copying the ACL of one file to another |
| setfacl -k test.txt | remove defalt ACL for file test.txt |