Access Control List

From LQWiki
Jump to navigation Jump to search

Access Control Lists or ACL's are a feature that allows more granular control of files, that is available with read, write, execute, alone. Access Control Lists allow permissions to be set for individual groups and users and not just the owning user, owning group, and all other users (also known as "world"). In Linux, they are an add-on to the base OS. The Windows implementation is built-in and is substantially more robust than what is available in Unix/Linux. However, misconfiguring them in Windows is easy to do because documentation is tightly controlled and requires an additional out-of-pocket expenditure.

Prerequisites

In order to use ACLs, you need to have the acl package installed, as this contains the getfacl and setfacl commands needed to view and manipulate ACLs. If you are using a mainstream distribution, there is a good chance this package is already installed on your system. If you are unsure, just check with your package manager.

Mount options

You must mount the filesystem with the acl mount parameter in order to use ACLs on said filesystem. This may already be the default mount option on your system, you can check the /etc/mke2fs.conf file for which default mount options you have. The relevant line will look something similar to the following;

default_mntopts = acl,user_xattr

You can check by running the following command;

tune2fs -l /dev/XXX | grep "Default mount options:"

You'll have to replace XXX with the correct device node for the drive or partition that contains the filesystem in question.

If the relevant filesystem has been mounted with the acl mount option, you should see something like the following;

Default mount options:    user_xattr acl

Usage

To check and set ACLs, we use the getfacl and the setfacl commands respectively, as shown below.

Checking current ACLs

For example, and assuming that "somefile" has an owning user called "joe" and the owning user group is "accounting", and no ACLs are currently set; running the command:

getfacl somefile

You'll get an output like this:

# file: somefile
# owner: joe
# group: accounting
user::rw-
group::r--
other::r--

If "somedir" is a directory, running getfacl somedir you'll get an output like this:

# file: somedir
# owner: joe
# group: accounting
user::rwx
group::r-x
other::r-x

We can also look at the respective UNIX permissions line with ls -la to see no ACLs are present:

-rw-r--r-- 1 joe accounting 0 Mar  3 00:36 somefile
drwxr-xr-x  2 joe  accounting 4096 Mar  3 00:36 somedir

We can see in both cases, no ACLs have been set on either the file "somefile" or the directory "somedir". We know that because there is no plus sign (+) on the last permission bit.

Setting ACLs

In the following examples we will use the setfacl command to set ACLs.

Let's say we have a company and that company has several departments, like for example, accounting, legal, management, etc. Let's assume that each department has it's own user group, and there are no permissions granted for everyone else (also known as "world"). For the sake of example we'll also assume that we have three users, joe who is in accounting, jan who is in legal, and steve who is in management. Joe owns a file in accounting, but both Jan and Steve need to access to this accounting file, but because none of them are in the accounting user group, where under normal UNIX permissions and without ACLs, they don't have permission to even read this file.

With ACLs, we can give them both permission to read this file we'll call "budget". We can give them both permission via their user ID's or their primary group, or in fact any user group that they happen to be members of with ACLs.

In the following example we will give Jan read permission to the "budget" file via an ACL:

setfacl -m "u:jan:r" budget

In the following example we will give Steve read permission to the "budget" file via an ACL:

setfacl -m "u:steve:r" budget 

If we then run getfacl budget, we should get output similar to this:

# file: budget
# owner: joe
# group: accounting
user::rw-
user:jan:r--
user:steve:r--
group::r--
mask::r--
other::r--

In the following example, we will give the "legal" user group permission to the "budget" file owned by Joe in accounting via an ACL:

setfacl -m "g:legal:r" budget

In the following example, we will give the "management" user group permission to the "budget" file owned by Joe in accounting via an ACL:

setfacl -m "g:management:r" budget 

If we then run getfacl budget, we should get output similar to this:

# file: budget
# owner: joe
# group: accounting
user::rw-
user:jan:r--
user:steve:r--
group::r--
group:legal:r--
group:management:r--
mask::r--
other::r--

If we run ls -la budget, we should get output similar to the following;

-rw-r--r--+ 1 joe  accounting    0 Mar  1 00:29 budget

Notice the plus sign (+) at the end of the permissions line, this indicates an ACL entry has been set on the file called "budget".

Removing ACLs

To remove all ACLs from a file or directory, run the following command:

setfacl -b <filename/directory_name> 

Replace <filename/directory_name> with the actual name of the file or directory you wish to remove all ACL permissions from. Note: this does not effect the normal UNIX permissions that where already set on the file or directory.

You can also just remove a specific ACL entry with the following command:

setfacl -x "entry" <filename/directory> 

Replace "entry" and <filename/directory_name> with the ACL entry you wish to remove and the actual name of the file or directory respectively.

See Also