File system based ACL in Linux

If you require more controls on file permissions, ACL (a.k.a Access Control Lists) might be a nice choice. ACL goes beyond normal user-group based permission control and allow setting permissions on per individual user or group basis.

ACLs are a great option when you want to grant permissions without creating entire user groups. They are also great when you need to allow your non-super-users the ability to set permissions. You still have to be the main owner of a file to modify its permissions, though.

Proceed with caution!
ACLs can cause mysterious permission errors that are not immediately obvious to someone who isn’t aware of them. For this very reason, ACLs are enabled but not used by default in the latest RHEL / CentOS.

To check if your ext3 filesystem has the proper default options, use tune2fs. Look for “Default mount options:” with acl set. Let’s assume we have /dev/sdb1 mounted on /datum and we want to enable the acl option.

[root@tags ~]# tune2fs -l /dev/sdb1

To enable ACLs on a filesystem, we must set the fs default and remount:

[root@tags ~]# tune2fs -o acl /dev/sdb1
[root@tags ~]# mount -o remount,acl /datum

Use getfacl to view ACLs:

[root@tags ~]# touch /datum/foo.txt
[root@tags ~]# getfacl /datum/foo.txt
getfacl: Removing leading '/' from absolute path names
# file: datum/foo.txt
# owner: root
# group: root

Use setfacl to set ACLs, with -m to modify and -x to remove a given ACL. Give user joseph read + write + execute on this file:

[root@tags ~]# setfacl -m u:joseph:rwx /datum/foo.txt

give group peeps read+write on a file:

[root@tags ~]# setfacl -m geeps:rx /datum/foo.txt

remove joseph’s ACL permissions:

[root@tags ~]# setfacl -x u:joseph /datum/foo.txt

set the default ACL permissions on a directory:

[root@tags ~]# setfacl -m d:geeps:rw /datum/stuff/

revoke write permission for everyone:

[root@tags ~]# setfacl -m m::rx /datum/foo.txt

When ACLs are present, a “ls -l” will show a plus sign to notify you:

[root@tags ~]# ls -l /datum/foo.txt
-rw-rwxr--+ 1 root root 0 Dec 3 14:54 /datum/foo.txt

Note that the mv and cp -p commands will preserve ACLs. If you have defaults set on a parent directory, new files in that directory will inherit those settings.

If you want to remove all ACLs, reverting back to the base unix permissions of owner, group and other:

[root@tags ~]# setfacl --remove-all /datum/foo.txt

2 thoughts on “File system based ACL in Linux

  1. Thank you for hosting such a useful website. Your weblog is not just informative but also very inventive too. There normally are very few bloggers who are capable of create technical content that creatively. we keep searching for content on this subject. We ourselves have looked through many websites to come across knowledge about this.We look forward to the next posts !!

  2. @SEOArticles Thanks and welcome! Moreover your site has a very nice view, I like this style!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.