34.2 C
Muhammad Nabeel
Network and System Administrator

How to Use Access Control List (ACL) in Linux

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.

There are two types of ACLs:
1- Access ACL
2- Default ACL

What is Access ACL?

Access ACL used for a specific file or a directory.

What is Default Access Control List?

Default ACL can only be applied to a directory. If files/folders placed under that directory, do not have a ACL set, they inherit the default ACL of their parent directory.

- Advertisement -

ACLs can be configured per user, per group, or per user not in the owning group of a file and also can be configured using UMASK.

Permissions must be defined in characters r,w and x in ACLs.
ACLs are set and removed using setfacl, with either the -m or -x options, respectively.

1- Configure Access ACL:

Set acl on a folder for users.

First of all create two users “ali” and “ahmed”

useradd ali
useradd ahmed

Then, create a test directory which will use for ACL.

mkdir testdir
ls -lh

Then, set Access ACL on that directory

setfacl -R  -m u:ali:rwx    testdir
setfacl -R -m u:ahmed:r-x testdir

Setfacl Command to set ACL
-R Recursively for directory.
-m To add or modify acl.
u Used for user.
rwx Permissions read, write and execute.

Next, run the following command:

ls -lh

Now we will see a plus (+) sign along with permissions section of testdir folder. It identifies that ACL is set on that file/folder.

List configured ACL

Command to see configured ACLs is getfacl

getfacl testdir

Now user ali has full permissions on testdir he can create, modify files/folder in testdir.
But user Ahmed has limited permissions on testdir he cannot create files/folder in testdir.

Set ACL on a folder for a group

First create a group “hr” then, create new directory.

groupadd hr
mkdir newdir
ls -lh

So, set ACL on created directory.

setfacl -R  -m g:hr:rwx   newdir

g It is used to set ACL on group

Now all the member of “hr” group will have rwx permissions on newdir folder.

getfacl newdir

Set ACL on a folder for a group and a user

Always remember users have high priority then groups in ACL.

So, create a group “account

groupadd account

Then, create two users and assign them “account” group

useradd amir -g account
useradd ihsan -g account

Now, create a test folder, set ACL for “account” group and “ihsan” user

mkdir test
ls -lh
setfacl -R -m g:account:rwx test
setfacl -R -m u:ihsan:r-x test
getfacl test

In above scenario both users amir and ihsan are member of account group. but user ihsan is also have separate acl for it. (It means user ihsan acl has high priority over group acl)
amir has full access on test folder, e.g. he can make files/folders in that folder.
But ihsan cannot create files/folders in test folder because he do not has full w(write) permission.

Set ACL for others

we will set it on test folder
let say a user obaid is other user. It means he is not the owner nor the member of that “test” folder’s group.

useradd obaid
setfacl -R -m o:r-x test
getfacl test

Now user obaid has read and execute permissions on test folder. It means it can read all files folders under test folder.

Assign full permissions to user “obaid”

setfacl -R  -m o:rwx   test
getfacl test

Now user obaid has full permissions on test folder. It means it can read, write, modify files folders under test folder.

Remove all Permission from user “obaid”

setfacl -R  -m o:---   test
getfacl test

Now user obaid has no permissions on test folder. It means it cannot go to test folder.

Remove single/desired ACL from a file/folder

Now, we will remove ACL of user ali from testdir folder

setfacl -R  -x u:ali   test
getfacl test

x it is used to remove ACL

Remove all the ACLs from a file/folder

Then, we will remove ACLS from test folder

setfacl -R  -b   test
getfacl test

The –b option is used to remove all ACLs

2- Configure Default ACL

The default ACL is a specific type of permissions assigned to a directory, default ACL does not change the permissions of the directory itself, but specified permission in that ACL will set by default on all the folders which will be created inside of it for the specified user, group and other users. We can say the default ACL permissions on parent directory inherit by sub-directories.

So, we will set default ACL for user ahmed

useradd ahmed
mkdir testdir1
setfacl -m d:u:ahmed:rx testdir1
getfacl testdir1

The d it is used to set default ACL

Now each directory created under test directory will have default permission of rx for user ahmed.

Now we will set default ACL for group hr

setfacl -m   d:g:hr:rwx    testdir1
getfacl testdir

We will set default ACL for other

setfacl -m   d:o:---    testdir1
getfacl testdir1

That’ it, now you have briefly learned about Linux ACLs.

So, share this post and join our Telegram Channel.

- Advertisement -
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"


Please enter your comment!
Please enter your name here

Latest article