Linux
16 Nov 2024

Understanding ACLs in Linux

1068 Words Reading Time: 5 minute
Understanding ACLs in Linux

This post outlines how to use these commands to better manage access permissions on your Linux system.

In Linux, file permissions play a vital role in controlling access to files and directories. Traditional file permissions (read, write, execute) may not always provide the fine-grained access control you need, especially in shared environments. This is where Access Control Lists (ACLs) come in, allowing you to set more specific permissions for individual users or groups.

Two important commands for managing ACLs are setfacl and getfacl. This post outlines how to use these commands to better manage access permissions on your Linux system.



What Are ACLs?

Access Control Lists (ACLs) provide an additional, more flexible permission mechanism for file systems. Unlike standard permissions (owner, group, others), ACLs allow you to set specific permissions for multiple users or groups on a per-file or per-directory basis. This enables more granular control of file access, making ACLs especially useful in complex environments with multiple users and groups.

For example, you can grant read access to one user, write access to another, and full control to a third, all on the same file or directory.


What is setfacl?

The setfacl command is used to modify the ACLs of files and directories. With setfacl, you can add, modify, or remove specific users or group permissions without affecting the standard owner-group-other permission scheme.


Syntax

The basic syntax of setfacl is:

setfacl [options] ACL file


Where ACL defines the access control list entries, and file is the file or directory to which you are applying the ACL.

Common Options:

-m or --modify: Modify an ACL entry.
-x or --remove: Remove an ACL entry.
-b or --remove-all: Remove all ACL entries.
-d or --default: Set a default ACL for new files and directories within a directory.


Examples of setfacl Usage:


1. Granting Read Permission to a Specific User

If you want to give a user named jane read permission to a file called example.txt, run the following command:

setfacl -m u:jane:r example.txt

Here, u:jane:r specifies that user jane should have read (r) access to the file.


2. Granting Write Permission to a Group

To give write permissions to a group named devgroup for a file called project.txt, use the following command:

setfacl -m g:devgroup:w project.txt


3. Removing an ACL Entry

To remove the read permission for user jane from example.txt:

setfacl -x u:jane example.txt

This removes the ACL entry for user jane on example.txt.


4. Setting Default ACLs on a Directory

To set default ACLs on a directory so that all new files created within it inherit the ACL permissions, use the -d option:

setfacl -d -m u:jane:rwx /shared/directory

This will give jane read, write, and execute (rwx) permissions on all new files created inside /shared/directory.


What is getfacl?

The getfacl command is used to retrieve and display the ACLs of files and directories. It shows both the traditional owner-group-other permissions and any additional ACL entries.


Syntax

The basic syntax of getfacl is:

getfacl [options] file

Where file is the file or directory whose ACLs you want to view.


Common Options:

--omit-header: Omit the comment header from the output.
-R or --recursive: Recursively display ACLs for all files in a directory.


Examples of getfacl Usage:


1. Displaying ACLs for a File

To view the ACLs for a file called example.txt, run the following command:

getfacl example.txt


The output will look something like this:

file: example.txt
owner: root
group: root
user::rw-
user:jane:r--
group::r--
mask::r--
other::r--

This shows the ACLs for the file, including the standard owner (root), group (root), and other permissions, as well as the specific ACL entry for user jane.


2. Displaying ACLs for a Directory Recursively

To display ACLs for all files in a directory, including subdirectories:

getfacl -R /shared/directory

This will list the ACLs for every file and subdirectory under /shared/directory.


Removing ACLs

If you no longer need ACLs on a file or directory, you can remove them entirely using setfacl with the -b option:

setfacl -b example.txt

This removes all ACLs from example.txt, leaving only the standard file permissions in place.


Conclusion:

ACLs provide fine-grained control over file and directory permissions, allowing you to grant or restrict access to specific users or groups. setfacl is used to modify ACLs, allowing you to set, modify, or remove permissions for specific users and groups. getfacl retrieves and displays the ACLs of a file or directory, providing insight into who has access and what type of access they have. Default ACLs can be set for directories to ensure that new files created inside the directory inherit predefined ACLs. By using setfacl and getfacl, you can achieve more granular and flexible control over file access in shared environments, enhancing security and collaboration on Linux systems.


📝 For more information about setfacl, review this setfacl man page, and for more information about getfacl, review this getfacl man page.

Tags:



You may also be interested in...

Port redirection is a powerful tool for managing network traffic.
Port Redirection on RHEL Servers
The ability to create custom commands allows you to streamline your workflow by automating repetitive tasks or creating shortcuts for complex commands.
Creating Custom Commands with Scripts in `/usr/local/bin`
7-Zip is a great tool to password protect zip folders.
How to Password-Protect a ZIP Folder in Windows Using 7-Zip
When it comes to securing SSH access on a Linux system, two effective methods are disabling password authentication and locking user accounts.
Securing SSH Access - Disabling Password Authentication vs. Locking User Accounts

© 2020 - 2024 Jamison Johnson
Disclaimer | Privacy Information | Search Blog Mastodon - @cristiancastellari@mastodon.uno @cristian@livellosegreto.it