Linux Permissions 101 — Part III

Controlling access to files with Access Control Lists (ACLs)

Today we will have a look at ACL permissions. This is the final article of the Linux Permissions 101 series. Please read the previous articles for more details on permissions.

• Linux Permissions 101 — Part I: Discussed about permission types, how to modify, default permissions and umask.
• Linux Permissions 101 — Part II: Discussed about file ownerships, group memberships and special permissions.

Why ACLs?

Linux Access Control Lists (ACLs) provide a more granular level of access control to files and directories than the traditional Unix-style file permissions. Standard file permissions on Linux systems allow the owner, group, and others to be granted read, write, or execute access to a file or directory. However, these permissions can only be set for the owner, group, and others, and cannot be further customized to grant access to specific users or groups.

In contrast, Linux ACLs allow administrators to set more fine-grained permissions for individual users or groups, beyond the owner, group, and others. For example, an administrator could grant read access to a file to a specific user (who is not the owner or doesn’t belong to the group), while denying that access to all others.

However, it’s important to note that Linux ACLs are not a replacement for standard file permissions. Rather, they provide additional control over access to files and directories. Standard file permissions should still be used to set basic access permissions, and ACLs should be used to grant more specific access rights to individual users or groups.

View ACL Permissions — getfacl command

the following command (getfacl) shows the current permissions and ACLs for the test.txt file

[student@ ~]$ getfacl test.txt
# file: test.txt
# owner: student
# group: controller
user::rw-
user:thomas:rwx
user:james:---
group::r--
group:sodor:rw-
mask::rwx
other::r--

The first 03 lines are comments that identify the file name, owner (student) and group owner (controller). If additional flags have been set (i.e. setuid or setgid) then a 4th comment line will appear showing the flags as well.

user::rw- denotes file owner (student) permissions. user:thomas:rwx
and user:james: — are named user permissions. Similarly, group::r — denotes group owner (controller) permissions. group:sodor:rw- is named group permissions. mask::rwx shows the maximum permissions possible for all named users, the group owner and named groups.

The above example shows how to view file ACL permissions. The same method is used to view directory ACL permissions as well.

How to Manage ACL Permissions — setfacl command

• Assign / Modify ACL permissions for u[ser] named Michael:
  setfacl -m u:michael:rwx /home/examprep/answers
• Assign / Modify ACL Permissions for a g[roup] named teachers:
  setfacl -m g:teachers:r /home/examprep/answers
• Apply ACLs to all the files in a directory recursively for user named Michael:
  setfacl -R -m u:michael:rx /home/examprep
• Remove a specific ACL entry. This will delete the previously set rwx permissions from user Michael :
  setfacl -x u:michael /home/examprep/answers
• Similar to the above command, we can use the following to remove all permissions from user Michael:
  setfacl -x u:michael:- /home/examprep/answers
• Remove all ACL entries on a file:
  setfacl -b /home/examprep/answers

Default ACLs

On directories, one or more default ACLs can be configured. The concept of default ACL is similar to a regular ACL entry, with the difference thta a default ACL doesn’t have any effect on the current directory permissions, but it is inherited by the files created within the directory.

Example: If we want all new files and directories in /home/examprep/ to inherit an ACL that grants read and execute permissions to user Michael, it can be achieved through the following command; The -d flag is used here

setfacl -d -m u:michael:rx /home/examprep

ACLs and Masks

ACL mask is different from the file creation mask (umask). It is associated with an ACL to limit the permissions available ona file for named users and groups, and for the group owner. The maximum mask value is rwx which means there are no limits. We can set the mask using the below command;

setfacl -m m:rw /home/examprep/answers

The ACL mask is updated every time you run a setfacl command unless you specify that you don’t want to update the mask with the -n flag.

setfacl -n -m u:michael:rwx /home/examprep/answers

[student@ ~]$ getfacl test.txt
# file: test.txt
# owner: student
# group: controller
user::rw-
user:thomas:rwx                 #effective:rw-
user:james:---
group::r--
group:sodor:rw-
mask::rw-
other::r--

The ACL mask is used as the maximum set of ACL permissions regardless of existing permissions that exceed the ACL mask.

Though, user Thomas has given rwx permissions due to the mask value the effective permissions are rw- .

Conclusion

We have covered the Access Control Lists (ACLs) in Linux. This concludes the article series on permissions. I sincerely hope this article will be helpful. I highly value your feedback and support!

Thank you for reading and stay safe!