Linux ACL’s (access control lists)

(2019)

See acl(5).

POSIX access control lists define more fine-grained permissions that are possible with traditional unix file permissions.

Are ACL’s enabled on this filesystem?

🐚 $ sudo /sbin/tune2fs -l /dev/vda1 | grep acl
Default mount options:    user_xattr acl

• A default ACL applies to a directory.
• An access ACL applies to a specific file or directory.
• A file without a specific access ACL uses the default ACL of its directory (if any).

Show the ACL of a file with getfacl(1).

🐚 $ getfacl /var/repo
getfacl: Removing leading '/' from absolute path names
# file: var/repo
# owner: root
# group: developers
# flags: -s-
user::rwx
group::rwx
other::r-x

Use setfacl(1) to modify ACL’s.

🐚 $ sudo setfacl -d -R -m g:developers:rw /var/repo
🐚 $ getfacl /var/repo
getfacl: Removing leading '/' from absolute path names
# file: var/repo
# owner: root
# group: developers
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:developers:rw-
default:mask::rwx
default:other::r-x

🐚 $ touch /var/repo/foo.bar
🐚 $ getfacl /var/repo/foo.bar 
getfacl: Removing leading '/' from absolute path names
# file: var/repo/foo.bar
# owner: paulgorman
# group: developers
user::rw-
group::rwx          #effective:rw-
group:developers:rw-
mask::rw-
other::r--

🐚 $ ls -l /var/repo/foo.bar
-rw-rw-r--+ 1 paulgorman developers 0 Jan 13 12:24 /var/repo/foo.bar

The + in ls output indicates the presence of an ACL.

Always check options for utilities like cp and tar to see how they preserve ACL’s.

Links

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/acls-setting
• https://www.thegeekdiary.com/unix-linux-access-control-lists-acls-basics/