Access Control Lists( (ACLs) are a way to assign fine tuned permissions in Linux apart from using the chmod command. When the chmod command is used only one owner and one group can be assigned permissions on a file or directory. If multiple users need access to a resource we need to place them in a group and then give that group the necessary permissions. But with File ACLs in Linux we can assign fine grained permissions to each user and group on a file and even deny access to a particular user even if the file has world permissions. This tutorial on Linux File ACL will explain the usage of the commands getfacl and setfacl.
First let us understand the purpose of each permission on files and directories
r (read) – The contents of the file can be viewed
w (write) – The file can be edited and new content can be inserted
x (execute) – The file can be executed. This permission is assigned to shell scripts and CGI scripts.
r (read) – The contents of the directory can be viewed with the “ls” command
w (write) – New file can be created inside the directory and existing files can be deleted
x (execute) – The user with this permission can change directory (cd) into this directory
If you get a command not found error for getfacl and setfacl it means the acl package is not installed, so use yum or apt-get according to your operating system to install the package
yum install acl apt-get install acl
To view the access control list of a file/directory, use the getfacl command
# file: home/file1 # owner: root # group: root user::rw- user:root:rw- group::r-- mask::rw- other::r--
Before using the setfacl command, acl has to be enabled on the filesystem, else you’ll receive the following error.
setfacl: /path/to/file: Operation not supported
So the /etc/fstab file has to be edited and the word acl has to be added near the word “defaults” a sample fstab entry is shown below
/dev/sda3 / ext3 defaults,<strong>acl</strong> 0 0
To set the ACL for a file/directory use the setfacl command
setfacl -m u:username:rw /etc/fstab
In this command “u” is for user, followed by the username and “rw” for read and write permission. For giving all the permissions use “rwx” for denying all permissions use minus (-). For example, to deny all rights to user1 on /path/to/file even if the file has 777 permissions
setfacl -m:user1:- /path/to/file
To grant all permissions to a group
setfacl -m g:groupname:rwx /path/to/filename
To recursively set ACLs to all files inside a directory use the -R option
setfacl -R -m u:username:rwx /path/to/directory
To delete an entry from the access list
setfacl -x u:username /path/to/file
Sohrab Monfared says
Thanks for your tutorial
Just as a notice: It’s a good idea to remove the from /etc/fstab entry, since it will confuse the beginners and making their system stuck at mounting.