Access Control Lists

This is a document telling how to use acl’s under linux.

ACLs are used for more finegrained permissions than standard unix permissions, which limits you to read, write and execute for user, group and others. with acl you can specify a unlimited number of permissions, giving some users readonly access, some groups read/write access or whatever you desire, which is pretty cool, another feature which posix acls bring is the ability to set default acl’s, which will then be applied to all new files or directories created within the directory having the default acl scheme

First, to be able to use acl, there are a few system requirements that must be satisfied:

• You must use a filsystem which supports posix acl
• Your filsystem must be mounted with the acl options
• Coreutils must be compiled with acl support
• You need to have the acl package installed

To use acl’s we need the two commands from the acl package, ‘getfacl’ and especially ‘setfacl’. getfacl lets you see the ACLs present on a directory/file, and setfacl enables you to add acl entries

The setfacl command can be run with a large variety of options, here is a list of the ones worth mentioning, which this howto will explain

The getfacl command can be run without any parameters, but i find it nice to run with –omit-headers.

It is possible to use getfacl to backup the acl’s for a file/dir, or recursively through a dir, and then use setfacl to restore it.

• Backup acl for a file: getfacl <file> > backup.acl
• Backup acl recursively for a dir: getfacl -R <dir> > backup.acl
• Restore acl backup via the restore feature: setfacl –restore=backup.acl

This is an example of applying normal acls, default acls, and using getfacl to observe acls, plus backing up and restoring

redeeman@redeeman /mnt/ACLTest $ mkdir testdir
redeeman@redeeman /mnt/ACLTest $ setfacl -m u:guest:rw,g:vfat:r-x testdir
redeeman@redeeman /mnt/ACLTest $ setfacl -d -m g:vfat:rw- testdir
redeeman@redeeman /mnt/ACLTest $ echo "test" > testdir/testfile
redeeman@redeeman /mnt/ACLTest $ getfacl -R testdir > backup.acl
redeeman@redeeman /mnt/ACLTest $ rm -fr testdir ; mkdir testdir ; echo "test" > testdir/testfile
redeeman@redeeman /mnt/ACLTest $ setfacl --restore=backup.acl
redeeman@redeeman /mnt/ACLTest $ getfacl --omit-header testdir
user::rwx
user:guest:rw-
group::r-x
group:vfat:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:vfat:rw-
default:mask::rwx
default:other::r-x
redeeman@redeeman /mnt/ACLTest $ getfacl --omit-header testdir/testfile
user::rw-
group::r-x                      #effective:r--
group:vfat:rw-
mask::rw-
other::r--

• When creating a dir/file inside a dir with a default acl scheme, the file/dir’s standard unix permissions are not affected, the default acl’s will simply be applied
• When copying something to a dir which has a default acl scheme, if existing, all previous acl entries will be erased, and the default acl will be applied
• The mask entry in the acl controls what permissions acl are allowed to set, as standard it is generated from the range the group entries contains
• When Adding entries, one needs to specify permissions(rwx), when removing, one must not specify permissions
• One can manipulate more than one acl entry with one setfacl command, they are seperated with ‘,’

Andreas Grünbacher's paper on Access Control Lists