Traditional Linux access permissions for files and directories consists of setting a combination of read, write, and execute permissions for the “owner”, “group”, and “others” of the file or directory.
These permissions can be set using the ‘chmod‘ command. However, this has its limitations and does not allow you to set flexible permissions for users.
By default Linux has following access permissions for files & directories.
Files
-> 644 -> -rw-r–r– (User has Read & Write access, Group & Others have Read only access)Folders
-> 755 -> drwxr-xr-x (User has Read, Write & Execute access, Group & Others have Read & Execute access)
For example: By default users can access & edit their own home directory files, and also can access associated group files.
Let’s, assume that you wanted to allow only one person from the group to be able to write to that file. This can’t be implemented with the standard Linux access permission. However, for more complex scenarios ACLs can be used as an extension to the traditional file permission concept.
What is ACL?
ACL stands for Access Control List (ACL) which provides an additional and more flexible permissions mechanism for file systems. It is designed to assist with UNIX file permissions. It allows you to set permissions to individual users or groups even if these do not correspond to the original owner or the owning group. ACL can be easily managed by setfacl & getfacl commands.
What is setfacl?
setfacl stands for ‘set file access control lists’. It is used to set Access Control Lists (ACLs) for files and directories.
What is getfacl?
getfacl stands for ‘get file access control lists’, which is used to view Access Control Lists (ACLs) for files and directories. It displays, the file name, owner & group of the file, and ACL permissions (user, group, other & default).
Checking if ACL is enabled in Linux
Run tune2fs
command to check whether ACL is enabled or not for a specific partition in Linux:
# tune2fs -l /dev/sdb1 | grep options Default mount options: (none)
The above output clearly shows that ACL is not enabled for /dev/sdb1
partition.
Configuring ACL on a file system
ACL can be enabled in two ways for a specific partition in Linux:
- Enable acl in the /etc/fstab file.
- Enable acl using ‘tune2fs’ command.
01) Add ACL as a mount option to the partition where you want to enable ACL through the ‘/etc/fstab’ file. In the below example, we have added acl option for ‘/app
‘ partition:
# more /etc/fstab UUID=f304277d-1063-40a2-b9dc-8bcf30466a03 / ext4 defaults 1 1 /dev/sdb1 /app ext4 defaults,acl 1 1
02) Alternatively, It can be added to the filesystem superblock by using the ‘tune2fs’ command as shown below:
# tune2fs -o +acl /dev/sdb1
Now, change the option in the current run-time without interruption by running the following command:
# mount -o remount,acl /app
Run the tune2fs command again to see if acl option enabled:
# tune2fs -l /dev/sdb1 | grep options Default mount options: acl
We can now see the ACL option on /dev/sdb1
partition.
How to check default ACL values?
To check the default ACL values for a file or directory, use the getfacl
command followed by ‘/path/to/file’ or ‘/path/to/folder’. Make a note, when you run getfacl command on non ACL file’s or folder’s, it wont show additional user and it masks the parameter values.
# getfacl /etc/apache2/apache2.conf # file: etc/apache2/apache2.conf # owner: root # group: root user::rw- group::r-- other::r--
Configuring ACL on files
Example scenario: We have user magi
and he wants to modify the apache2.conf
file, which is owned by root user. Thus, we will configure Access Control Lists (ACLs) for him to gain access to the file.
Run the ‘setfacl’ command with below format to set ACL on the given file. In the below example we are going to give a rwx
access to ‘magi’ user to the ‘/etc/apache2/apache2.conf’ file:
# setfacl -m u:magi:rwx /etc/apache2/apache2.conf
Details :
- setfacl: Command
- -m: modify the current ACL(s) of file(s)
- u: Indicates a user
- magi: Name of the user
- rwx: Permissions which you want to set
- /etc/apache2/apache2.conf: Name of the file
Now, run the getfacl command to view the new ACL values as shown below. For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL).
# getfacl /etc/apache2/apache2.conf # file: etc/apache2/apache2.conf # owner: root # group: root user::rw- user:magi:rwx group::r-- mask::rwx other::r--
Make a note: ACL configured files or directories shows a 'plus (+)'
sign after the file or folder permissions as shown below:
# ls -lh /etc/apache2/apache2.conf -rw-rwxr--+ 1 root root 7.1K Sep 19 14:58 /etc/apache2/apache2.conf
Configuring ACL on folders
Run the setfacl command with below format to set ACL on the given folder recursively. In the below example we will be going to assigen a rwx
access to magi
user to the folder ‘/etc/apache2/sites-available/’.
# setfacl -Rm u:magi:rwx /etc/apache2/sites-available/
Details :
-R:
Recurse into sub directories
Now, run the getfacl command to view the new ACL values for the below directory:
# getfacl /etc/apache2/sites-available/ # file: etc/apache2/sites-available/ # owner: root # group: root user::rwx user:magi:rwx group::r-x mask::rwx other::r-x
Now, all the files have ACL values under ‘/etc/apache2/sites-available/’ directory:
# ls -lh /etc/apache2/sites-available/ total 20K -rw-rwxr--+ 1 root root 1.4K Sep 19 14:56 000-default.conf -rw-rwxr--+ 1 root root 6.2K Sep 19 14:56 default-ssl.conf -rw-rwxr--+ 1 root root 1.4K Dec 8 02:57 mywebpage.com.conf -rw-rwxr--+ 1 root root 1.4K Dec 7 19:07 testpage.com.conf
Configuring Default ACLs
Default ACL can only be configured for a directory. To set a default ACL, add 'd:'
before the rule and specify a directory instead of a file name.
# setfacl -m d:o:rwx /etc/apache2/sites-available/
Configuring ACL for group
Run the setfacl command with below format to set ACL to the following file. In the below example, we will be going to assign a rwx
access to appdev
group to the ‘/etc/apache2/apache2.conf’ file.
# setfacl -m g:appdev:rwx /etc/apache2/apache2.conf
Details :
g:
Indicate a group
For multiple users and groups, just add comma
between the users and groups as shown below:
# setfacl -m u:magi:rwx,g:appdev:rwx /etc/apache2/apache2.conf
How to remove ACL
Run the setfacl command with '-x'
option to remove ACL for a given user to the file as shown below. This will remove only user permissions and keep mask
values as read only.
# setfacl -x u:magi /etc/apache2/apache2.conf
Details :
-x:
Remove entries from the ACL(s) of file(s)
Now, run the getfacl command to check whether the ACL value is removed for user ‘magi’.
Yes, it is successfully removed as per the below output and you can see that it keeps the mask
values as read only:
# getfacl /etc/apache2/apache2.conf # file: etc/apache2/apache2.conf # owner: root # group: root user::rw- group::r-- mask::r-- other::r--
Use -b
option to remove all ACLs associated to a file as shown below:
# setfacl -b /etc/apache2/apache2.conf
Details :
-b:
Remove all extended ACL entries
Now, run the getfacl command once again to check if all ACL values were removed.
We can see that everything is gone as per the below output:
# getfacl /etc/apache2/apache2.conf # file: etc/apache2/apache2.conf # owner: root # group: root user::rw- group::r-- other::r--
How to backup and restore ACL?
Run the following command to backup and restore ACL values. To take a backup, navigate to corresponding directory and do it.
We are going to take a backup of sites-available
folder. Use below commands to do it:
# cd /etc/apache2/sites-available/ # getfacl -R * > acl_backup_for_folder
To restore it, run the following command:
# setfacl --restore=/etc/apache2/sites-available/acl_backup_for_folder
Conclusion
In this tutorial we’ve shown you how to configure Access Control Lists (ACLs) in Linux with several examples. Now, we hope you can configure ACL on your Linux system for various administrative tasks.
Feel free to leave a comment below, and we will respond to you as soon as possible.
Hello,
Can you shared some details about Multipath and clusters
Hi Magesh ..
Would you please move the social tab bar to the right side of your web page? It blocks a lot of the text on the left ..
Thanks for letting me know Steven. I have enabled the option to “hide/show the floating buttons”.