Access Control Lists

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource.

Installation

The acl package is a dependency of systemd, it should already be installed.

Enable ACL

To enable ACL, the filesystem must be mounted with the acl option. You can use fstab entries to make it permanent on your system.

There is a possibility that the acl option is already active as one of the default mount options on the filesystem. Btrfs and Ext2/3/4 filesystems are affected by this. Use the following command to check ext2/3/4 formatted partitions for the option:

# tune2fs -l /dev/sd''XY'' | grep "Default mount options:"
Default mount options:    user_xattr '''acl'''

Also check that the default mount options are not overridden, in such case you will see noacl in /proc/mounts in the relevant line.

You can set the default mount options of a filesystem using the tune2fs -o option partition command, for example:

# tune2fs -o acl /dev/sdXY

Using the default mount options instead of an entry in /etc/fstab is very useful for external drives, such partition will be mounted with acl option also on other Linux machines. There is no need to edit /etc/fstab on every machine.

Note:
  • acl is specified as a default mount option when creating an ext2/3/4 filesystem. This is configured in /etc/mke2fs.conf.
  • The default mount options are not listed in /proc/mounts.

Usage

Set ACL

The ACL can be modified using the setfacl command.

Tip:
  • You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the --test flag.
  • To apply operations to all files and directories recursively, append the -R/--recursive argument.

To set permissions for a user (user is either the user name or ID):

# setfacl -m "u:user:permissions" <file/dir>

To set permissions for a group (group is either the group name or ID):

# setfacl -m "g:group:permissions" <file/dir>

To set permissions for others:

# setfacl -m "other:permissions" <file/dir>

To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):

# setfacl -dm "entry" <dir>

To remove a specific entry:

# setfacl -x "entry" <file/dir>

To remove the default entries:

# setfacl -k <file/dir>

To remove all entries (entries of the owner, group and others are retained):

# setfacl -b <file/dir>

Show ACL

To show permissions, use:

# getfacl <file/dir>

Examples

Set all permissions for user to file named :

# setfacl -m "u:johnny:rwx" abc

Check permissions:

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johnny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user :

# setfacl -m "u:johnny:r-x" abc

Check permissions:

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johnny:r-x
group::r--
mask::r-x
other::r--

Remove all ACL entries:

# setfacl -b abc

Check permissions:

Output of ls command

You will notice that there is an ACL for a given file because it will exhibit a (plus sign) after its Unix permissions in the output of .

Execution permissions for private files

The following technique describes how a process like a web server can be granted access to files that reside in a user's home directory, without compromising security by giving the whole world access.

In the following we assume that the web server runs as the user and grant it access to 's home directory .

The first step is granting execution permissions for the user :

# setfacl -m "u:http:--x" /home/geoffrey

Since the user is now able to access files in , others no longer need access:

# chmod o-rx /home/geoffrey

Use getfacl to verify the changes:

As the above output shows, other's no longer have any permissions, but the user is still able to access the files, thus security might be considered increased.

If you need to give write access for the user on specific directories and/or files, run:

# setfacl -dm "u:http:rwx" /home/geoffrey/project1/cache
gollark: Anyway. Birds: often quite smart, flying and/or gliding, dm-scale size, vertebrates. Bees: invertebrates, cm-scale, superintelligent with sufficiently networked bees.
gollark: That's the *9*70.
gollark: We can track how many chunks are loaded, ish, with indirection!
gollark: No, I am not.
gollark: Then click login.

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.