Linux ACLs

22 Oct 2007

Linux ACLs (Access Control Lists) can be a bit difficult at first – here’s my understanding of how they work:


  • There’s only 2 commands needed – getfacl and setfacl – display and change acls


When you do a getfacl on a file, you’ll get this sort of entry:
$ ls -al index.html
-rw-rw-r–+ 1 root siteadm 0 Nov 30 2005 index.html
$ getfacl –all-effective index.html

file: index.html

owner: root

group: siteadm

user:apache:rw- #effective:rw-
group::r– #effective:r–

  • Notice the

    + at the end of the ls -al entry – indicating acls, and the use of the –all-effective option with getfacl

  • The first and last entries always always always correspond to normal user/owner and other file permissions eg user/owner has read/write and other has read: <br /> user::rw- -> -rw (for user/owner)<br /> other::r-- -> -rw (for other)<br />

  • For applications that do understand acls, permissions are exactly as listed in the middle bunch of entries, masked by the mask entry ie the user apache will get rw-, the group (siteadm in this case) will get r–: <br /> user:apache:rw-<br /> group::r--<br /> mask::rw-<br />

  • For applications that don’t understand acls, permissions correspond to the mask ie rw-, to ensure that non-acl aware applications will keep working. Notice how the ls -al output displays the mask entry in the group area: <br /> -rw-rw-r--+ 1 root siteadm 0 Nov 30 2005 index.html<br /> mask::rw-<br />

To change acls you use the setacl command, which is pretty straighforward. For example:
<br /> $ setfacl -m u:apache:rw- foo.txt<br /> $ setfacl -m user:jan:rwx,group:mysql:rwx bar.txt<br />

Acls need to be considered for directories themselves (eg can user fred delete a particular directory?) and for all objects underneath a directory.

  • for directories themselves, setting and getting acls is just the same as for files
  • for all objects underneath a directory, you have to consider the “Default ACL” – a special kind of acl that defines the access permissions of all new objects created under a folder. Note – it doesn’t effect existing objects!
  • setfacl uses the -d flag to create default acl entries
  • the same rules apply for all default entries as they do for normal entries: ie the first and last (user and other) entries are directly used, the middle bunch of entries interact with the mask, etc, etc.
comments powered by Disqus

  « Previous: Next: »