How To Manage ACL In Linux

UNDERSTANDING THE SUBJECT MATTER

What Is ACL In Linux?

ACL (Access Control List) is an advanced permission mechanism in Linux.

Unlike the basic and regular way of giving permissions to one user that is the owner of a file and one group that is the group owner of a file using the “chmod” command, if you have to give additional permissions to another user or another group on a file without making the user a member of the group, you will have to use ACL to do it.

With ACL, you can give permissions to two or more users and groups that are not owners of the file.

When permission is set on a file or directory using ACL, it displays a “+” sign when a list command is used.

For example, from the screen-shot below, a list command is used on a file that the permission has been set using ACL.

You can see the “+” sign, which indicates that ACL is used on the file.

Using ACL requires that the file-system where permissions will be set is mounted with ACL mount option. File-systems like the ext2, ext3, ext4, Brtfs, etc, are mounted with ACL mount option by default.

However, some file-systems are not mounted with ACL mount option by default. In this case, you will have to remount the file system with ACL mount option before ACL can be used.


How To Verify If a File-System Is Mounted With ACL Default Option

To verify if a file-system is mounted witl ACL mount option, use the command,

tune2fs -l <device> |grep "Default mount options:"

For example, to verify the file-system on /dev/sdb1, use the command,

[root@lab02 ~]# tune2fs -l /dev/sdb1 |grep "Default mount options:"

Default mount options:    user_xattr acl

Going forward, you should know that some old Linux kernel does not support ACL.

When you verify the file system and it is not mounted with ACL option, it can also be a good idea to verify if the kernel supports ACL before mounting the file system with ACL option.


How To Verify If A Linux Kernel Supports ACL

To verify if a Linux kernel is supported with ACL, use the command,

[root@lab02 statistics]# cat /boot/config* |grep -i acl

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m

The field “=y” means yes. i.e, the kernel is ACL supported but if you see “n”, then it is not ACL supported.

Having confirmed that a kernel is ACL supported, one can go ahead to mount the file system with ACL mount option if it is not mounted.

However, ACL utilities may not be installed on the system which you will have to before you can mount the file system with ACL option.


How To Install ACL Utilities In Linux

For Red Hat or CentOS systems, use the command,

[root@lab02 ~]# yum install nfs4-acl-tools acl libacl

For Debian, Ubuntu and its likes, use the command,

[root@lab02 ~]# apt-get install nfs4-acl-tools acl libacl

How To Mount A File System With The ACL Mount Option

you can set the default mount option of a file-system by using the command,

tune2fs -o acl <device>

OR

 mount -t <file-system-type> -o acl <device> <mount-point>

For example, to set the default mount option for the partition, /dev/sdb1, use the command,

[root@lab02 ~]# tune2fs -o acl /dev/sdb1

tune2fs 1.44.6 (5-Mar-2019)

OR

[root@lab02 ~]# mount -t ext2 -o acl /dev/sdb1 /data

However, this is will not be persistent after reboot. To make it persistent, you will need to add the option in the fstab.

To add it to the fstab, for example, /dev/sdb1, you will need to include the line below in the fstab file,

/dev/sdb1   /data    ext4    acl,defaults    1 2

You may need to remount the file system in some cases after mounting with ACL mount option.

For example, to remount /dev/sdb1, use the command,

 # mount -o remount,acl /dev/sdb1

ACL In Linux

Moving forward, there are two commands used In managing ACL, they are the getfacl and setfacl

What is getfacl In Linux?

The getfacl is the tool that is used to get an overview of an access control list on a file.

Let’s look at an example of using getfacl command on the file, january

[root@lab02 statistics]# getfacl january

# file: january
# owner: root
# group: root
user::rw-
group::r--
other::r--

From the screen-shot above, you can see that it is also possible to view the permission on a file by using the “getfacl” command, just as when you use the “ls -l” command.

The getfacl command will display the file permissions set with chmod and the file permissions set with ACL


What Is setfacl In Linux?

The setfacl is the tool that is used to set or change the access control list on a file. ACL’s in Linux are of two types. The access ACL and the default ACL.

The default ACL can only be effective on a directory.

It is advisable that you set all the permissions you want to set on a file first using the chmod command, before setting permissions using ACL.

Having set the permissions using ACL first, and going back to set the permissions using chmod may cause a disorder of permission settings on a file. Though, it can be corrected, especially when you have to, but why waste precious time and effort if you can avoid it?

Furthermore, setting permission on a directory using ACL most times requires that you use the recursive and the default option.

The current items (files and directories) will inherit the permission that is set when the recursive option is used while the new items (files and directories) that will later be added in a directory will inherit the permission that is set when the default option is used.

For example, if I am to set a read and write permission for “finance” group using ACL on the “tekneed” directory, I will run the two commands below.

  • setfacl -R -m g:finance:rw tekneed
  • setfacl -m d:g:finance:rw tekneed

How To Set Permission For User, Group And Others On A File / Directory Using ACL

To set permission for a user using ACL, you will have to specify the username or the user id as well as the lists of permission

Also, to set permission for a group, you will have to specify the group name or the group-id as well as the lists of permission

Permission can be rwx , rw, rx, wx, r, x, w, -, etc.

To set permission for a user using ACL, you use the command,

  setfacl -m u:<user-name>:<permission> <file/directory> 

Please see “ACTION TIME” for examples

To set Permission for a group using ACL, you use the command,

 setfacl -m g:<group-name>:<permission> <file/directory> 

Please see “ACTION TIME” for examples

To Set Permission For Others Using ACL, use the command,

setfacl -m other:<permission> <file/directory>

Please see “ACTION TIME” for examples

To set Permission on a directory recursively for a group or user using ACL

For a group, use the command,

 setfacl -R -m g:<group-name>:<permission> <directory> 

For a user, use the command,

setfacl -R -m u:<group-name>:<permission> <directory> 

Please see “ACTION TIME” for examples

To set permission for a group or user on a directory using ACL default option.

For a group, use the command,

 setfacl -m d:g:<group>:<permission> <directory> 

For a user, use the command,

setfacl -m d:u:<user>:<permission> <directory> 

Please see “ACTION TIME” for examples

To remove ACL from a specific user or group,

For a user, use the command,

setfacl -x u:<user> <file/directory>

For a group, use the command,

setfacl -x g:<group> <file/directory>

Please see “ACTION TIME” for examples

To remove ACL default entries, use the command,

setfacl -k <file/directory>

Please see “ACTION TIME” for examples

To remove all ACL entries on a file or directory, you use the command,

setfacl -b <file/directory>

Please see “ACTION TIME” for examples

To copy the ACL of one file to another, use the command,

getfacl <file1> | setfacl --set-file=-<file2>

Please see “ACTION TIME” for examples


ACTION TIME

EXAMPLES

How To Set Permission For A user On A File / Directory Using ACL

To give the user tekneed, read and execute permission on the “february_sales” file, do the following steps.

1. verify the current permission on the file,

[root@lab02 statistics]# ls -l february_sales

-rw-r--r--. 1 root HR 54 Feb  5 18:31 february_sales
[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
other::r--

2. set the permission

[root@lab02 statistics]# setfacl -m u:tekneed:rx february_sales

3. verify the permission has been set

[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
user:tekneed:r-x
group::r--
mask::r-x
other::r--


How To Set Permission For A Group On A File / Directory Using ACL

To give the finance group, read and write permission on the “february_sales” file, do the following steps.

1 verify the current permission on the file,

[root@lab02 statistics]# ls -l february_sales

-rw-r--r--. 1 root HR 54 Feb  5 18:31 february_sales
[root@lab02 statistics]#
[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
other::r--

2. set the permission,

[root@lab02 statistics]# setfacl -m g:finance:rw february_sales

[root@lab02 statistics]#

3. Verify the permission has been set

[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
group:finance:rw-
mask::rw-
other::r--

[root@lab02 statistics]#
[harry@lab02 statistics]$ ls -l february_sales

-rw-rw-r--+ 1 root HR 26 Feb  5 17:35 february_sales

[harry@lab02 statistics]$


How To Set Permission For Others On A File / Directory Using ACL

To give others, read and write permission on the “february_sales” file, use the command,

[root@lab02 statistics]# setfacl -m other:rw february_sales

  • Verify the permission has been set.
[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
user:tekneed:---
group::r--
mask::r--
other::rw-


How To Completely Deny Acess For A User Or Group On A File / Directory Using ACL

To completely remove the read, write and execute permission on the “february_sales” file for the user, tekneed, use the command,

[root@lab02 statistics]# setfacl -m u:tekneed:- february_sales

  • verify
[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
user:tekneed:---
group::r--
mask::r--
other::r--

How To Remove ACL From A Specific Group or User

  • To remove all ACL entries from a user, tekneed, use the command,
[root@lab02 statistics]# setfacl -x u:tekneed february_sales

  • To remove all ACL entries from a group, tekneed, use the command,
[root@lab02 statistics]# setfacl -x g:tekneed february_sales


How To Remove ACL Default Entries From A File Or Directory

To remove the ACL default entries from the statistics file or directory, use the command,

[root@lab02 /]# setfacl -k statistics


How To Remove All ACL Entries On A File / Directory

To remove all ACL entries from the “february_sales” file, use the command,

[root@lab02 statistics]#  setfacl -b february_sales
[root@lab02 statistics]# getfacl february_sales

# file: february_sales
# owner: root
# group: HR
user::rw-
group::r--
other::r--
[root@lab02 statistics]# ls -l february_sales

-rw-r--r--. 1 root HR 26 Feb  5 17:35 february_sales

How To Set Permission For A USer On A Directory Recursively Using ACL

To give the user, tekneed read and write permission on the “statistics” directory recursively, do the following steps. .

1. verify the current permission on the file

[root@lab02 /]# ls -ld statistics/

drwxrw-r-x. 2 root HR 4096 Feb 5 08:39 statistics/
[root@lab02 /]#

2. set the permission

[root@lab02 /]# setfacl -R -m u:tekneed:rw statistics

[root@lab02 /]#

3. verify the permission has been set by using the “getfacl” command or ls -l


How To Set Permission For A Group On A Directory Recursively Using ACL

To give the finance group read and write permission on the “statistics” directory recursively, do the following steps.

1. verify the current permission on the directory

[root@lab02 /]# ls -ld statistics/

drwxrw-r-x. 2 root HR 4096 Feb  5 08:39 statistics/
[root@lab02 /]#
[root@lab02 /]# ls -l statistics/

total 4
-rwxrw----. 1 root HR      54 Feb  5 18:31 february_sales
-rw-r--r--. 1 root finance  0 Feb  4 21:00 january_sales

2. set the permission

[root@lab02 /]# setfacl -R -m g:finance:rw statistics

[root@lab02 /]#

3. Verify the permission has been set

[root@lab02 /]# ls -ld statistics/

drwxrw-r-x+ 2 root HR 4096 Feb  5 08:39 statistics/
[root@lab02 /]#
[root@lab02 /]# ls -l statistics

total 12
-rwxrw----+ 1 root HR      54 Feb  5 18:31 february_sales
-rw-rw-r--+ 1 root finance  0 Feb  4 21:00 january_sales

you can see from the command above that it is applied recursively.

[root@lab02 /]# getfacl statistics/

# file: statistics/
# owner: root
# group: HR
user::rwx
group::rw-
group:finance:rw-
mask::rw-
other::r-x


How To Set Permission For A Group On A Directory Using ACL Default Option

The default option on a directory will allow the ACL permissions set to take effect on new contents (files and directories) that will later be created. In other words, the new contents that will be created will inherit the permission. The default option is not used recursively.

To give the finance group, read and write permission on the “statistics” directory using the default option, use the command,

[root@lab02 /]# setfacl -m d:g:finance:rw statistics

verify the set permission

[root@lab02 /]# getfacl statistics

# file: statistics/
# owner: root
# group: HR
user::rwx
group::rw-
other::r-x
default:user::rwx
default:group::rw-
default:group:finance:rw-
default:mask::rw-
default:other::r-x

NOTE: The default option will not affect the files that will later be copied in to the directory.


How To Remove All ACL Entries On A Directory Recursively

To remove all ACL entries from the “statistics” directory recursively, use the command,

[root@lab02 /]# setfacl -b -R statistics

Verify

[root@lab02 /]# ls -l statistics/

total 4
-rwxrw----. 1 root HR      54 Feb  5 18:31 february_sales
-rw-r--r--. 1 root finance  0 Feb  4 21:00 january_sales
[root@lab02 /]# getfacl statistics

How To Copy ACL Of One File To Another

To copy the ACL of february_sales file to january_sales file, use the command,

[root@lab02 statistics]# getfacl february_sales | setfacl - -set-file=- january_sales

Your feedback is welcomed. If you love others, you will share with others

Be the first to comment

Leave a Reply

Your email address will not be published.


*