Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.
There are two types of ACLs:
1- Access ACL
2- Default ACL
What is Access ACL?
Access ACL used for a specific file or a directory.
What is Default Access Control List?
Default ACL can only be applied to a directory. If files/folders placed under that directory, do not have a ACL set, they inherit the default ACL of their parent directory.
ACLs can be configured per user, per group, or per user not in the owning group of a file and also can be configured using UMASK.
Permissions must be defined in characters r,w and x in ACLs.
ACLs are set and removed using setfacl, with either the -m or -x options, respectively.
1- Configure Access ACL:
Set acl on a folder for users.
First of all create two users “ali” and “ahmed”
Then, create a test directory which will use for ACL.
Then, set Access ACL on that directory
setfacl -R -m u:ali:rwx testdir
setfacl -R -m u:ahmed:r-x testdir
Setfacl Command to set ACL
-R Recursively for directory.
-m To add or modify acl.
u Used for user.
rwx Permissions read, write and execute.
Next, run the following command:
Now we will see a plus (+) sign along with permissions section of testdir folder. It identifies that ACL is set on that file/folder.
List configured ACL
Command to see configured ACLs is getfacl
Now user ali has full permissions on testdir he can create, modify files/folder in testdir.
But user Ahmed has limited permissions on testdir he cannot create files/folder in testdir.
Set ACL on a folder for a group
First create a group “hr” then, create new directory.
So, set ACL on created directory.
setfacl -R -m g:hr:rwx newdir
g It is used to set ACL on group
Now all the member of “hr” group will have rwx permissions on newdir folder.
Set ACL on a folder for a group and a user
Always remember users have high priority then groups in ACL.
So, create a group “account“
Then, create two users and assign them “account” group
useradd amir -g account
useradd ihsan -g account
Now, create a test folder, set ACL for “account” group and “ihsan” user
setfacl -R -m g:account:rwx test
setfacl -R -m u:ihsan:r-x test
In above scenario both users amir and ihsan are member of account group. but user ihsan is also have separate acl for it. (It means user ihsan acl has high priority over group acl)
amir has full access on test folder, e.g. he can make files/folders in that folder.
But ihsan cannot create files/folders in test folder because he do not has full w(write) permission.
Set ACL for others
we will set it on test folder
let say a user obaid is other user. It means he is not the owner nor the member of that “test” folder’s group.
setfacl -R -m o:r-x test
Now user obaid has read and execute permissions on test folder. It means it can read all files folders under test folder.
Assign full permissions to user “obaid”
setfacl -R -m o:rwx test
Now user obaid has full permissions on test folder. It means it can read, write, modify files folders under test folder.
Remove all Permission from user “obaid”
setfacl -R -m o:--- test
Now user obaid has no permissions on test folder. It means it cannot go to test folder.
Remove single/desired ACL from a file/folder
Now, we will remove ACL of user ali from testdir folder
setfacl -R -x u:ali test
x it is used to remove ACL
Remove all the ACLs from a file/folder
Then, we will remove ACLS from test folder
setfacl -R -b test
The –b option is used to remove all ACLs
2- Configure Default ACL
The default ACL is a specific type of permissions assigned to a directory, default ACL does not change the permissions of the directory itself, but specified permission in that ACL will set by default on all the folders which will be created inside of it for the specified user, group and other users. We can say the default ACL permissions on parent directory inherit by sub-directories.
So, we will set default ACL for user ahmed
setfacl -m d:u:ahmed:rx testdir1
The d it is used to set default ACL
Now each directory created under test directory will have default permission of rx for user ahmed.
Now we will set default ACL for group hr
setfacl -m d:g:hr:rwx testdir1
We will set default ACL for other
setfacl -m d:o:--- testdir1
That’ it, now you have briefly learned about Linux ACLs.
So, share this post and join our Telegram Channel.