ACLs

Access Control Lists (ACLs)

Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented

Mounting File Systems

Before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext4 file system, it can mounted with the following command:

mount -t ext4 -o acl <device-name><partition>

For example:

mount -t ext4 -o acl  /dev/Student/IT

Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acl option:

/dev/Student/IT /student  ext4   defaults,acl  0 0

Setting Access ACLs

T here are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.

ACLs can be configured:

1. Per user

2. Per group

3. Via the effective rights mask

4. For users not in the user group for the file

Configuring ACLs

The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:

setfacl -m <rules><files>

Rules (<rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.

u:<uid> or <username>:<permissions>

Sets the access ACL for a user. T he user name or UID may be specified. T he user may be any

valid user on the system.

g:<gid>or <groupname>:<permissions>

Sets the access ACL for a group. T he group name or GID may be specified. T he group may be

any valid group on the system.

m : <permissions>

Sets the effective rights mask. T he mask is the union of all permissions of the owning group

and all of the user and group entries.

o: <permissions>

Sets the access ACL for users other than the ones in the group for the file.

White space is ignored. Permissions  must be a combination of the characters r, w, and x for read, write, and execute.

If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.

For example, to give read and write permissions to user raju:

setfacl -m u:raju:rw /file1

T o remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:

setfacl -x <rules><files>

For example, to remove all permissions from the user with UID 500:

setfacl -x u:500 /file1

Setting Default ACLs

T o set a default ACL, add d: before the rule and specify a directory instead of a file name.

For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):setfacl -m d:o :rx /share

Retrieving ACLs

To determine the existing ACLs for a file or directory, use the getfacl command:

getfacl <filename>

It returns output similar to the following:

# file: file

# owner: raju

# group: student

user::rw

user:koti:r--

group::r--

mask::r--

other::r--

If a directory is specified, and it has a default ACL, the default ACL is also displayed such as:

# file: file

# owner: raju

# group: student

user::rw

user:koti:r--

group::r--

mask::r--

other::r--

default:user::rwx

default:user:raju:rwx

default:group::r-x

default:m ask::rwx

default:other::r-x