22 Oct 2007
Linux ACLs (Access Control Lists) can be a bit difficult at first – here’s my understanding of how they work:
Commands:
- There’s only 2 commands needed – getfacl and setfacl – display and change acls
Files:
When you do a getfacl on a file, you’ll get this sort of entry:
`
$ ls -al index.html
-rw-rw-r–+ 1 root siteadm 0 Nov 30 2005 index.html
.
$ getfacl –all-effective index.html
file: index.html
owner: root
group: siteadm
user::rw-
user:apache:rw- #effective:rw-
group::r– #effective:r–
mask::rw-
other::r–
`
Notice the
+ at the end of the ls -al entry – indicating acls, and the use of the –all-effective option with getfacl
The first and last entries always always always correspond to normal user/owner and other file permissions eg user/owner has read/write and other has read:
<br /> user::rw- -> -rw (for user/owner)<br /> other::r-- -> -rw (for other)<br />
For applications that do understand acls, permissions are exactly as listed in the middle bunch of entries, masked by the mask entry ie the user apache will get rw-, the group (siteadm in this case) will get r–:
<br /> user:apache:rw-<br /> group::r--<br /> mask::rw-<br />
For applications that don’t understand acls, permissions correspond to the mask ie rw-, to ensure that non-acl aware applications will keep working. Notice how the ls -al output displays the mask entry in the group area:
<br /> -rw-rw-r--+ 1 root siteadm 0 Nov 30 2005 index.html<br /> mask::rw-<br />
To change acls you use the setacl command, which is pretty straighforward. For example:
<br />
$ setfacl -m u:apache:rw- foo.txt<br />
$ setfacl -m user:jan:rwx,group:mysql:rwx bar.txt<br />
Directories:
Acls need to be considered for directories themselves (eg can user fred delete a particular directory?) and for all objects underneath a directory.
- for directories themselves, setting and getting acls is just the same as for files
- for all objects underneath a directory, you have to consider the “Default ACL” – a special kind of acl that defines the access permissions of all new objects created under a folder. Note – it doesn’t effect existing objects!
- setfacl uses the -d flag to create default acl entries
- the same rules apply for all default entries as they do for normal entries: ie the first and last (user and other) entries are directly used, the middle bunch of entries interact with the mask, etc, etc.