Access Control Lists
Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource.
The systemd, it should already be installed.package is a dependency of
To enable ACL, the filesystem must be mounted with the
acl option. You can use fstab to make it permanent on your system.
There is a possibility that the
acl option is already active as default mount option on the filesystem. Btrfs does and Ext2/3/4 filesystems do too. Use the following command to check ext* formatted partitions for the option:
# tune2fs -l /dev/sdXY | grep "Default mount options:"
Default mount options: user_xattr acl
Also check that the default mount option is not overridden, in such case you will see
/proc/mounts in the relevant line.
You can set the default mount options of a filesystem using the
tune2fs -o option partition command, for example:
# tune2fs -o acl /dev/sdXY
Using the default mount options instead of an entry in
/etc/fstab is very useful for external drives, such partition will be mounted with
acl option also on other Linux machines. There is no need to edit
/etc/fstab on every machine.
aclis specified as default mount option when creating an ext2/3/4 filesystem. This is configured in
- The default mount options are not listed in
The ACL can be modified using the setfacl command.
To set permissions for a user (
user is either the user name or ID):
# setfacl -m "u:user:permissions" <file/dir>
To set permissions for a group (
group is either the group name or ID):
# setfacl -m "g:group:permissions" <file/dir>
To set permissions for others:
# setfacl -m "other:permissions" <file/dir>
To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):
# setfacl -dm "entry" <dir>
To remove a specific entry:
# setfacl -x "entry" <file/dir>
To remove the default entries:
# setfacl -k <file/dir>
To remove all entries (entries of the owner, group and others are retained):
# setfacl -b <file/dir>
--maskentry was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group entries (These are exactly the entries affected by the mask entry).
To show permissions, use:
# getfacl <file/dir>
Set all permissions for user
johnny to file named
# setfacl -m "u:johnny:rwx" abc
# getfacl abc
# file: abc # owner: someone # group: someone user::rw- user:johnny:rwx group::r-- mask::rwx other::r--
Change permissions for user
# setfacl -m "u:johnny:r-x" abc
# getfacl abc
# file: abc # owner: someone # group: someone user::rw- user:johnny:r-x group::r-- mask::r-x other::r--
Remove all extended ACL entries:
# setfacl -b abc
# getfacl abc
# file: abc # owner: someone # group: someone user::rw- group::r-- other::r--
Output of ls command
You will notice that there is an ACL for a given file because it will exhibit a
+ (plus sign) after its Unix permissions in the output of
$ ls -l /dev/audio
crw-rw----+ 1 root audio 14, 4 nov. 9 12:49 /dev/audio
$ getfacl /dev/audio
getfacl: Removing leading '/' from absolute path names # file: dev/audio # owner: root # group: audio user::rw- user:solstice:rw- group::rw- mask::rw- other::---
Granting execution permissions for private files to a web server
The following technique describes how a process like a web server can be granted access to files that reside in a user's home directory, without compromising security by giving the whole world access.
In the following we assume that the web server runs as the user
http and grant it access to
geoffrey's home directory
The first step is granting execution permissions for the user
# setfacl -m "u:http:--x" /home/geoffrey
Since the user
http is now able to access files in
/home/geoffrey, others no longer need access:
# chmod o-rx /home/geoffrey
getfacl to verify the changes:
$ getfacl /home/geoffrey
getfacl: Removing leading '/' from absolute path names # file: home/geoffrey # owner: geoffrey # group: geoffrey user::rwx user:http:--x group::r-x mask::r-x other::---
As the above output shows,
other's no longer have any permissions, but the user
http is still able to access the files, thus security might be considered increased.
httpon specific directories and/or files:
# setfacl -dm "u:http:rwx" /home/geoffrey/project1/cache
- An old but still relevant (and thorough) guide to ACL
- How to set default file permissions for all folders/files in a directory?