ACLs are used for more finegrained permissions than standard unix permissions, which limits you to read, write and execute for user, group and others. with acl you can specify a unlimited number of permissions, giving some users readonly access, some groups read/write access or whatever you desire, which is pretty cool, another feature which posix acls bring is the ability to set default acl’s, which will then be applied to all new files or directories created within the directory having the default acl scheme

Getting ACL Enabled

First, to be able to use acl, there are a few system requirements that must be satisfied:

You must use a filsystem which supports posix acl
Your filsystem must be mounted with the acl options
Coreutils must be compiled with acl support
You need to have the acl package installed

Managing ACLs

To use acl’s we need the two commands from the acl package, ‘getfacl’ and especially ‘setfacl’. getfacl lets you see the ACLs present on a directory/file, and setfacl enables you to add acl entries

Editing ACLs

The setfacl command can be run with a large variety of options, here is a list of the ones worth mentioning, which this howto will explain

Option	Description	Example	Result
-b	Removes all acl entries	setfacl -b <file/dir>	All acl entries removed from <file/dir>
-k	Removes the default acl entries	setfacl -k <dir>	All default acl entries removed from <dir>
-n	Dont recalculate the effective rights mask	setfacl -n -m -u:root:rw- <file>	<file> gets a acl with root able to read/write, mask aint calculated
-d	Does the actions to the default acl	setfacl -d -m -u:root:rwX <dir>	<dir> gets a default acl entry saying new files get user:root, rw, dirs get user:root, rwx
-R	Do stuff recursively	setfacl -R -m -g:users:r-x <dir>	All subdirs of <dir> gets a entry saying group users gets read/execute
-x	Remove entry	setfacl -x -m -g:admin <file>	The group entry admin gets removed from <file>

Listing ACLs

The getfacl command can be run without any parameters, but i find it nice to run with –omit-headers.

Backup/Restore

It is possible to use getfacl to backup the acl’s for a file/dir, or recursively through a dir, and then use setfacl to restore it.

Backup acl for a file: getfacl <file> > backup.acl
Backup acl recursively for a dir: getfacl -R <dir> > backup.acl
Restore acl backup via the restore feature: setfacl –restore=backup.acl

Example

This is an example of applying normal acls, default acls, and using getfacl to observe acls, plus backing up and restoring

redeeman@redeeman /mnt/ACLTest $ mkdir testdir
redeeman@redeeman /mnt/ACLTest $ setfacl -m u:guest:rw,g:vfat:r-x testdir
redeeman@redeeman /mnt/ACLTest $ setfacl -d -m g:vfat:rw- testdir
redeeman@redeeman /mnt/ACLTest $ echo "test" > testdir/testfile
redeeman@redeeman /mnt/ACLTest $ getfacl -R testdir > backup.acl
redeeman@redeeman /mnt/ACLTest $ rm -fr testdir ; mkdir testdir ; echo "test" > testdir/testfile
redeeman@redeeman /mnt/ACLTest $ setfacl --restore=backup.acl
redeeman@redeeman /mnt/ACLTest $ getfacl --omit-header testdir
user::rwx
user:guest:rw-
group::r-x
group:vfat:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:vfat:rw-
default:mask::rwx
default:other::r-x
redeeman@redeeman /mnt/ACLTest $ getfacl --omit-header testdir/testfile
user::rw-
group::r-x                      #effective:r--
group:vfat:rw-
mask::rw-
other::r--

A few notes

When creating a dir/file inside a dir with a default acl scheme, the file/dir’s standard unix permissions are not affected, the default acl’s will simply be applied
When copying something to a dir which has a default acl scheme, if existing, all previous acl entries will be erased, and the default acl will be applied
The mask entry in the acl controls what permissions acl are allowed to set, as standard it is generated from the range the group entries contains
When Adding entries, one needs to specify permissions(rwx), when removing, one must not specify permissions
One can manipulate more than one acl entry with one setfacl command, they are seperated with ‘,’

Access Control Lists

What can ACLs be used for?