Access Control List

Access Control Lists or ACL's are a feature that allows more granular control of files, that is available with read, write, execute, alone. Access Control Lists allow permissions to be set for individual groups and users and not just the owning user, owning group, and all other users (also known as "world"). In Linux, they are an add-on to the base OS. The Windows implementation is built-in and is substantially more robust than what is available in Unix/Linux. However, misconfiguring them in Windows is easy to do because documentation is tightly controlled and requires an additional out-of-pocket expenditure.

Prerequisites
In order to use ACLs, you need to have the acl package installed, as this contains the  and   commands needed to view and manipulate ACLs. If you are using a mainstream distribution, there is a good chance this package is already installed on your system. If you are unsure, just check with your package manager.

Mount options
You must mount the filesystem with the  mount parameter in order to use ACLs on said filesystem. This may already be the default mount option on your system, you can check the  file for which default mount options you have. The relevant line will look something similar to the following;

default_mntopts = acl,user_xattr

You can check by running the following command; tune2fs -l /dev/XXX | grep "Default mount options:" You'll have to replace  with the correct device node for the drive or partition that contains the filesystem in question.

If the relevant filesystem has been mounted with the  mount option, you should see something like the following; Default mount options:   user_xattr acl

Usage
To check and set ACLs, we use the  and the   commands respectively, as shown below.

Checking current ACLs
For example, and assuming that "somefile" has an owning user called "joe" and the owning user group is "accounting", and no ACLs are currently set; running the command:

getfacl somefile You'll get an output like this:

user::rw- group::r-- other::r-- If "somedir" is a directory, running  you'll get an output like this:
 * 1) file: somefile
 * 2) owner: joe
 * 3) group: accounting

user::rwx group::r-x other::r-x
 * 1) file: somedir
 * 2) owner: joe
 * 3) group: accounting

We can also look at the respective UNIX permissions line with  to see no ACLs are present:

-rw-r--r-- 1 joe accounting 0 Mar 3 00:36 somefile drwxr-xr-x 2 joe  accounting 4096 Mar  3 00:36 somedir

We can see in both cases, no ACLs have been set on either the file "somefile" or the directory "somedir". We know that because there is no plus sign (+) on the last permission bit.

Setting ACLs
In the following examples we will use the  command to set ACLs.

Let's say we have a company and that company has several departments, like for example, accounting, legal, management, etc. Let's assume that each department has it's own user group, and there are no permissions granted for everyone else (also known as "world"). For the sake of example we'll also assume that we have three users, joe who is in accounting, jan who is in legal, and steve who is in management. Joe owns a file in accounting, but both Jan and Steve need to access to this accounting file, but because none of them are in the accounting user group, where under normal UNIX permissions and without ACLs, they don't have permission to even read this file.

With ACLs, we can give them both permission to read this file we'll call "budget". We can give them both permission via their user ID's or their primary group, or in fact any user group that they happen to be members of with ACLs.

In the following example we will give Jan read permission to the "budget" file via an ACL: setfacl -m "u:jan:r" budget

In the following example we will give Steve read permission to the "budget" file via an ACL: setfacl -m "u:steve:r" budget

If we then run, we should get output similar to this:

user::rw- user:jan:r-- user:steve:r-- group::r-- mask::r-- other::r--
 * 1) file: budget
 * 2) owner: joe
 * 3) group: accounting

In the following example, we will give the "legal" user group permission to the "budget" file owned by Joe in accounting via an ACL: setfacl -m "g:legal:r" budget

In the following example, we will give the "management" user group permission to the "budget" file owned by Joe in accounting via an ACL: setfacl -m "g:management:r" budget

If we then run, we should get output similar to this:

user::rw- user:jan:r-- user:steve:r-- group::r-- group:legal:r-- group:management:r-- mask::r-- other::r--
 * 1) file: budget
 * 2) owner: joe
 * 3) group: accounting

If we run, we should get output similar to the following;

-rw-r--r--+ 1 joe accounting    0 Mar  1 00:29 budget Notice the plus sign (+) at the end of the permissions line, this indicates an ACL entry has been set on the file called "budget".

Removing ACLs
To remove all ACLs from a file or directory, run the following command:

setfacl -b  Replace  with the actual name of the file or directory you wish to remove all ACL permissions from. Note: this does not effect the normal UNIX permissions that where already set on the file or directory.

You can also just remove a specific ACL entry with the following command:

setfacl -x "entry"  Replace  and   with the ACL entry you wish to remove and the actual name of the file or directory respectively.

= See Also =
 * Users, Groups, Ownership and Permissions
 * lsattr
 * chattr