How to Set Permissions in Linux Using ACL – RHEL 9 & Ubuntu

July 11, 2024 David O RHCSA 9 0

How to configure ACL in Linux
Tweet
Share
Pin
Share

Welcome back, Linux enthusiasts! Victor here. Today, we dive into the fascinating world of how to set ACL in Linux. This article is the third part of our series on setting and managing permissions in Linux. If you’re preparing for a certification exam, check the description below for practice questions.

Understanding Access Control Lists (ACLs)

So, what exactly is an Access Control List (ACL)? Simply put, an ACL is a list that controls access to a file or directory. It’s an advanced method of managing permissions in Linux, offering a granular level of control beyond traditional owner and group permissions. In essence, ACLs allow you to define permissions for multiple users and groups, beyond just the file owner and the owning group.

In previous lessons, we covered the basic attributes of a file and how to set permissions for the file owner and group owner.

Linux file ownership

For instance, John is the owner of a file with specific permissions. But what if you also want to grant Lisa or the sales group specific permissions on the same file, even though sales is not the group owner? This is where ACLs come in. In this lesson, we will look comprehensively into how to set ACL in Linux systems.

Essential Commands for Managing ACLs

There are two primary commands to know when working with ACLs in Linux:

  1. getfacl (Get File Access Control List) – This command is used to view the current ACL settings of a file or directory.
  2. setfacl (Set File Access Control List) – This command is used to set or modify ACL entries.

To learn more about ACLs, refer to the documentation linked in the description below.

Step-by-Step Guide to Setting ACLs in Linux

We’ll cover how to set ACL in Linux systems (both RedHat Enterprise Linux and Ubuntu), as the steps are similar.

Currently, we are on a Red Hat system.

Viewing Current ACLs

To view the current ACL permissions on a file, use the getfacl command:

getfacl file1

This command will display the ACL settings for file1. If no ACLs are set, you won’t see any entries beyond the traditional owner, group, and others permissions. If the ACL has been set, you would see a plus (+) sign after the file permissions. Let us set ACL for a file, so that we can properly visualize what we are trying to explain.

Setting ACLs

To properly see how to set ACL in Linux, use the setfacl --help command. Here’s a breakdown of the options:

setfacl --help
How to set ACL in Linux systems --help
  • -m, –modify=acl modify the current ACL(s) of file(s)
  • -M, –modify-file=file read ACL entries to modify from file
  • -x, –remove=acl remove entries from the ACL(s) of file(s)
  • -X, –remove-file=file read ACL entries to remove from file
  • -b, –remove-all remove all extended ACL entries
  • -k, –remove-default remove the default ACL
  • –set=acl set the ACL of file(s), replacing the current ACL
  • –set-file=file read ACL entries to set from file
  • –mask do recalculate the effective rights mask
  • -n, –no-mask don’t recalculate the effective rights mask
  • -d, –default operations apply to the default ACL
  • -R, –recursive recurse into subdirectories
  • -L, –logical logical walk, follow symbolic links
  • -P, –physical physical walk, do not follow symbolic links
  • –restore=file restore ACLs (inverse of `getfacl -R’)
  • –test test mode (ACLs are not modified)
  • -v, –version print version and exit
  • -h, –help this help text
man setfacl

…then /example

To give Lisa read and execute permissions on file1, use the following command:

setfacl -m u:Lisa:rx file1

After setting the ACL, you can verify it by running getfacl file1. You’ll notice a plus sign (+) at the end of the permission string in the ls -l output, indicating that ACLs are set.

Setting Group ACLs

To set ACLs for a group, simply replace the u (user) with g (group). For example, to grant the sales group read and write permissions on file1, use:

setfacl -m g:sales:rw file1

Verify the changes with getfacl file1.

How to set ACL in Linux

Setting ACLs on Ubuntu

On Ubuntu, you might need to install the ACL tool first. To install the tool on ubuntu, you enter the following command:

sudo apt install acl

Once installed, the commands getfacl and setfacl work the same way as on Red Hat.

Examples of How to Set ACL in Linux

Let’s go through a few more examples.

Granting Read, Write, and Execute Permissions

To grant Ola read, write, and execute permissions on file1, use:

setfacl -m u:Ola:rwx file1

Setting Default ACLs

To set default ACLs that new files inherit, use the -d option:

setfacl -d -m u:Lisa:rx file1

Removing ACLs

To remove a specific ACL entry, use the -x option:

setfacl -x u:Lisa file1

To remove all ACL entries:

setfacl -b file1

ACLs for Other Users and Groups

To set ACLs for users and groups other than the file owner and owning group, you need to use the appropriate options:

  • User ACL: setfacl -m u:username:permissions file
  • Group ACL: setfacl -m g:groupname:permissions file
  • Other Users: setfacl -m other:permissions file

For example, to set read and execute permissions for others:

setfacl -m other:rx file1
getfacl file1

Practical Scenarios

ACLs provide a flexible way to manage file permissions in various scenarios:

  • Collaborative Projects: In a project involving multiple departments, ACLs allow you to set specific permissions for each department’s group without changing the file’s owner or owning group.
  • Temporary Access: Grant temporary access to users for specific tasks without altering the main permissions structure.
  • Enhanced Security: Restrict or grant access based on the principle of least privilege, ensuring users only have the permissions they need.

Troubleshooting ACLs

While working with ACLs, you might encounter some common issues. Here are a few troubleshooting tips:

ACL Not Applied as Expected

If the ACL is not applied as expected, ensure that the filesystem supports ACLs. Most modern filesystems like ext4 support ACLs by default, but older ones may not. You can enable ACL support by mounting the filesystem with the acl option:

sudo mount -o remount,acl /mountpoint

ACL Conflicts

Conflicts can occur if multiple ACL entries contradict each other. Ensure that the ACL entries are specific and do not overlap in a way that causes permission conflicts. You can review the current ACLs with getfacl to diagnose issues.

Permissions Still Not Effective

If permissions set via ACLs are still not effective, it could be due to the underlying traditional permissions. Remember, ACLs provide additional permissions but do not override the basic owner, group, and others permissions. Ensure the file has appropriate basic permissions before applying ACLs.

Advanced ACL Usage

For advanced scenarios, you can use ACLs to manage permissions on directories recursively, set default ACLs, and more.

Recursive ACLs

To apply ACLs to a directory and all its subdirectories and files, use the -R option:

setfacl -R -m u:Lisa:rx /path/to/directory

This command ensures that Lisa has read and execute permissions on the directory and all its contents.

Default ACLs

Default ACLs are inherited by new files and directories created within a directory. To set a default ACL, use the -d option:

setfacl -d -m u:Lisa:rw /path/to/directory

This command ensures that any new file or directory created within /path/to/directory inherits read and write permissions for Lisa.

Practical Examples

Let’s explore some practical examples of how to set permissions in Linux using ACL in different scenarios:

Scenario 1: Project Collaboration

In a project involving the dev and qa teams, you might want to give the dev group read and write permissions, and the qa group read-only permissions on a project directory:

setfacl -m g:dev:rw /project
setfacl -m g:qa:r /project

Scenario 2: Temporary Access

To grant a contractor named Alex temporary read and execute permissions on a directory:

setfacl -m u:Alex:rx /project

Once the project is complete, you can remove Alex’s permissions:

setfacl -x u:Alex /project

Scenario 3: Enhanced Security

For a sensitive file that should only be accessed by the security team, set the following ACL:

setfacl -m g:security:r /sensitive/file

Additionally, ensure that others have no access:

setfacl -m o:: /sensitive/file

Conclusion

Learning how to set ACL in Linux is an essential skill for system administrators and developers. It offers a more refined and flexible approach to managing file permissions compared to traditional methods. By mastering the getfacl and setfacl commands, you can ensure precise control over who can access and modify your files and directories.

For more detailed information, refer to the official documentation linked below. Don’t forget to subscribe, like, share, and comment to support our work. Stay tuned for more tutorials on Linux permissions and beyond!

Thank you for reading, and I’ll see you in the next lesson.

For a more extensive documentation and further reading on how to set ACL in Linux, click here.

YOUTUBE VIDEO ON HOW TO SET ACL IN LINUX SYSTEMS

RHCSA 9 /EX200 EXAM PRACTICE QUESTION AND ANSWER

Tweet
Share
Pin
Share

Be the first to comment

Leave a Reply

Your email address will not be published.


*