ACLs: Access Control Lists

Access Control Lists (ACLs) provide finer-grained control over which users can access specific directories and files than do traditional Linux permissions (page 180). Using ACLs you can specify the ways in which each of several users can access a directory or file. Because ACLs can reduce performance, do not enable them on filesystems that hold system files, where the traditional Linux permissions are sufficient. Also be careful when moving, copying, or archiving files: Not all utilities preserve ACLs. In addition, you cannot copy ACLs to filesystems that do not support ACLs.

Caution: Most utilities do not preserve ACLs

When used with the p (preserve) or a (archive) option, cp preserves ACLs when it copies files. Another utility that is supplied with Red Hat Linux that preserves ACLs is mv. When you use cp with the p or a option and it is not able to copy ACLs, and in the case where mv is unable to preserve ACLs, the utility performs the operation and issues an error message:

$ mv report /tmp mv: preserving permissions for '/tmp/report': Operation not supported

Other utilities, such as tar, cpio, and dump, do not support ACLs. You can use cp with the a option to copy directory hierarchies, including ACLs.

You can never copy ACLs to a filesystem that does not support ACLs or to a filesystem that does not have ACL support turned on.

An ACL comprises a set of rules. A rule specifies how a specific user or group can access the file that the ACL is associated with. There are two kinds of rules: access rules and default rules. (The documentation refers to access ACLs and default ACLs, even though there is only one type of ACL: There is one type of list [ACL] and there are two types of rules that an ACL can contain.)

An access rule specifies access information for a single file or directory. A default ACL pertains to a directory only; it specifies default access information (an ACL) for any file in the directory that is not given an explicit ACL.

Enabling ACLs

Red Hat Linux officially supports ACLs on ext2 and ext3 filesystems only, although informal support for ACLs is available on other filesystems. To use ACLs on an ext2 or ext3 filesystem, you must mount the device with the acl option (no_acl is the default). For example, if you want to mount the device represented by /home so that you can use ACLs on files in /home, you can add acl to its options list in /etc/fstab:

$ grep home /etc/fstab LABEL=/home            /home        ext3         defaults,acl     1 2

After changing fstab, you need to remount /home before you can use ACLs. If no one else is using the system, you can unmount it and mount it again (working as root) as long as your working directory is not in the /home hierarchy. Alternatively you can use the remount option to mount to remount /home while the device is in use:

# mount -v -o remount /home /dev/hda3 on /home type ext3 (rw,acl)

See page 469 for information on fstab and page 466 for information on mount.

Working with Access Rules

The setfacl utility modifies a file's ACL and the getfacl utility displays a file's ACL. When you use getfacl to obtain information about a file that does not have an ACL, it displays the same information as an ls l command, albeit in a different format:

$ ls -l report -rw-r--r--  1 max max 9537 Jan 12 23:17 report $ getfacl report # file: report # owner: max # group: max user::rw group::r-- other::r--

The first three lines of the getfacl output are called the header; they specify the name of the file, the owner of the file, and the group the file is associated with. For more information refer to "ls l: Displays Permissions" on page 181. The omit-header (or just omit) option causes getfacl not to display the header:

$ getfacl --omit-header report user::rw group::r-- other::r--

In the line that starts with user, the two colons (::) with no name between them indicate that the line specifies the permissions for the owner of the file. Similarly, the two colons in the group line indicate that the line specifies permissions for the group the file is associated with. The two colons following other are there for consistency: No name can be associated with other.

The setfacl modify (or m) option adds or modifies one or more rules in a file's ACL using the following format:

setfacl modify ugo:name:permissions file-list

where ugo can be either u, g, or o to indicate that the command sets file permissions for a user, a group, or all other users, respectively; name is the name of the user or group that permissions are being set for; permissions is the permissions in either symbolic or absolute format; and file-list is the list of files that the permissions are to be applied to. You must omit name when you specify permissions for other users (o). Symbolic permissions use letters to represent file permissions (rwx, rx, and so on), whereas absolute permissions use an octal number. While chmod uses three sets of permissions or three octal numbers (one each for the owner, group, and other users), setfacl uses a single set of permissions or a single octal number to represent the permissions being granted to the user or group represented by ugo and name.

For example, both of the following commands add a rule to the ACL for the report file that gives Sam read and write permission to that file:

$ setfacl --modify u:sam:rw- report

or

$ setfacl --modify u:sam:6 report $ getfacl report # file: report # owner: max # group: max user::rw- user:sam:rw- group::r-- mask::rw-- other::r--

The line containing user:sam:rw shows that the user named sam has read and write access (rw) to the file. See page 181 for an explanation of how to read symbolic access permissions. See the following optional section for a description of the line that starts with mask.

When a file has an ACL, ls l displays a plus sign (+) following the permissions, even if the ACL is empty:

$ ls -l report -rw-rw-r--+ 1 max max 9537 Jan 12 23:17 report

$ setfacl -m mask::r-- report

$ getfacl report # file: report # owner: max # group: max user::rw- user:sam:rw-              #effective:r-- group::r-- mask::r-- other::r--

As the next example shows, setfacl can modify ACL rules and can set more than one ACL rule at a time:

$ setfacl -m u:sam:r--,u:zach:rw- report $ getfacl --omit-header report user::rw-- user:sam:r-- user:zach:rw-- group::r-- mask::rw-- other::r--

The x option removes ACL rules for a user or a group. It has no effect on permissions for the owner of the file or the group that the file is associated with. The next example shows setfacl removing the rule that gives Sam permission to access the file:

$ setfacl -x u:sam report $ getfacl --omit-header report user::rw-- user:zach:rw-- group::r-- mask::rw-- other::r--

You must not specify permissions when you use the x option. Instead, specify only the ugo and name. The b option, followed by a filename only, removes all ACL rules and the ACL itself from the file or directory you specify.

Both setfacl and getfacl have many options. Use the help option to display brief lists of options or refer to the man pages for details.

Setting Default Rules for a Directory

The following example shows that the dir directory initially has no ACL. The setfacl command uses the d option to add two default rules to the ACL for dir. These rules apply to all files in the dir directory that do not have explicit ACLs. The rules give members of the pubs group read and execute permissions and give members of the admin group read, write, and execute permissions.

$ ls -ld dir drwx------ 2 max max 4096 Feb 12 23:15 dir $ getfacl dir # file: dir # owner: max # group: max user::rwx group::--- other::--- $ setfacl -d -m g:pubs:r-x,g:admin:rwx dir

The following ls command shows that the dir directory now has an ACL, as indicated by the + to the right of the permissions. Each of the default rules that getfacl displays starts with default:. The first two default rules and the last default rule specify the permissions for the owner of the file, the group that the file is associated with, and all other users. These three rules specify the traditional Linux permissions and take precedence over other ACL rules. The third and fourth rules specify the permissions for the pubs and admin groups. Next is the default effective rights mask.

$ ls -ld dir drwx------+ 2 max max 4096 Feb 12 23:15 dir $ getfacl dir # file: dir # owner: max # group: max user::rwx group::--- other::--- default:user::rwx default:group::--- default:group:pubs:r-x default:group:admin:rwx default:mask::rwx default:other::---

Remember that the default rules pertain to files held in the directory that are not assigned ACLs explicitly. You can also specify access rules for the directory itself.

When you create a file within a directory that has default rules in its ACL, the effective rights mask for that file is created based on the file's permissions. In some cases the mask may override default ACL rules.

In the next example, touch creates a file named new in the dir directory. The ls command shows that this file has an ACL. Based on the value of umask (page 420), both the owner and the group that the file is associated with have read and write permissions for the file. The effective rights mask is set to read and write so that the effective permission for pubs is read and the effective permissions for admin are read and write. Neither group has execute permission.

$ cd dir $ touch new $ ls -l new -rw-rw----+ 1 max max 0 Feb 13 00:39 new $ getfacl --omit new user::rw- group::--- group:pubs:r-x                #effective:r-- group:admin:rwx               #effective:rw- mask::rw- other::---

If you change the file's traditional permissions to read, write, and execute for the owner and the group, the effective rights mask changes to read, write, and execute and the groups specified by the default rules gain execute access to the file.

$ chmod 770 new $ ls -l new -rwxrwx---+ 1 max max 0 Feb 13 00:39 new $ getfacl --omit new user::rwx group::--- group:pubs:r-x group:admin:rwx mask::rwx other::---