How to configure ACL (Access Control Lists) in Linux

Traditional Linux access permissions for files and directories consists of setting a combination of read, write, and execute permissions for the “owner”, “group”, and “others” of the file or directory.

These permissions can be set using the ‘chmod‘ command. However, this has its limitations and does not allow you to set flexible permissions for users.

By default Linux has following access permissions for files & directories.

  • Files -> 644 -> -rw-r–r– (User has Read & Write access, Group & Others have Read only access)
  • Folders -> 755 -> drwxr-xr-x (User has Read, Write & Execute access, Group & Others have Read & Execute access)

For example: By default users can access & edit their own home directory files, and also can access associated group files.

Let’s, assume that you wanted to allow only one person from the group to be able to write to that file. This can’t be implemented with the standard Linux access permission. However, for more complex scenarios ACLs can be used as an extension to the traditional file permission concept.

What is ACL?

ACL stands for Access Control List (ACL) which provides an additional and more flexible permissions mechanism for file systems. It is designed to assist with UNIX file permissions. It allows you to set permissions to individual users or groups even if these do not correspond to the original owner or the owning group. ACL can be easily managed by setfacl & getfacl commands.

What is setfacl?

setfacl stands for ‘set file access control lists’. It is used to set Access Control Lists (ACLs) for files and directories.

What is getfacl?

getfacl stands for ‘get file access control lists’, which is used to view Access Control Lists (ACLs) for files and directories. It displays, the file name, owner & group of the file, and ACL permissions (user, group, other & default).

Checking if ACL is enabled in Linux

Run tune2fs command to check whether ACL is enabled or not for a specific partition in Linux:

# tune2fs -l /dev/sdb1 | grep options
Default mount options:    (none)

The above output clearly shows that ACL is not enabled for /dev/sdb1 partition.

Configuring ACL on a file system

ACL can be enabled in two ways for a specific partition in Linux:

  • Enable acl in the /etc/fstab file.
  • Enable acl using ‘tune2fs’ command.

01) Add ACL as a mount option to the partition where you want to enable ACL through the ‘/etc/fstab’ file. In the below example, we have added acl option for ‘/app‘ partition:

# more /etc/fstab

UUID=f304277d-1063-40a2-b9dc-8bcf30466a03 /     ext4    defaults            1 1
/dev/sdb1               		  /app  ext4    defaults,acl        1 1

02) Alternatively, It can be added to the filesystem superblock by using the ‘tune2fs’ command as shown below:

# tune2fs -o +acl /dev/sdb1

Now, change the option in the current run-time without interruption by running the following command:

# mount -o remount,acl /app

Run the tune2fs command again to see if acl option enabled:

# tune2fs -l /dev/sdb1 | grep options
Default mount options:    acl

We can now see the ACL option on /dev/sdb1 partition.

How to check default ACL values?

To check the default ACL values for a file or directory, use the getfacl command followed by ‘/path/to/file’ or ‘/path/to/folder’. Make a note, when you run getfacl command on non ACL file’s or folder’s, it wont show additional user and it masks the parameter values.

# getfacl /etc/apache2/apache2.conf

# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--

Configuring ACL on files

Example scenario: We have user magi and he wants to modify the apache2.conf file, which is owned by root user. Thus, we will configure Access Control Lists (ACLs) for him to gain access to the file.

Run the ‘setfacl’ command with below format to set ACL on the given file. In the below example we are going to give a rwx access to ‘magi’ user to the ‘/etc/apache2/apache2.conf’ file:

# setfacl -m u:magi:rwx /etc/apache2/apache2.conf

Details :

  • setfacl: Command
  • -m: modify the current ACL(s) of file(s)
  • u: Indicates a user
  • magi: Name of the user
  • rwx: Permissions which you want to set
  • /etc/apache2/apache2.conf: Name of the file

Now, run the getfacl command to view the new ACL values as shown below. For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL).

# getfacl /etc/apache2/apache2.conf

# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
user:magi:rwx
group::r--
mask::rwx
other::r--

Make a note: ACL configured files or directories shows a 'plus (+)' sign after the file or folder permissions as shown below:

# ls -lh /etc/apache2/apache2.conf
-rw-rwxr--+ 1 root root 7.1K Sep 19 14:58 /etc/apache2/apache2.conf

Configuring ACL on folders

Run the setfacl command with below format to set ACL on the given folder recursively. In the below example we will be going to assigen a rwx access to magi user to the folder ‘/etc/apache2/sites-available/’.

# setfacl -Rm u:magi:rwx /etc/apache2/sites-available/

Details :

  • -R: Recurse into sub directories

Now, run the getfacl command to view the new ACL values for the below directory:

# getfacl /etc/apache2/sites-available/

# file: etc/apache2/sites-available/
# owner: root
# group: root
user::rwx
user:magi:rwx
group::r-x
mask::rwx
other::r-x

Now, all the files have ACL values under ‘/etc/apache2/sites-available/’ directory:

# ls -lh /etc/apache2/sites-available/
total 20K
-rw-rwxr--+ 1 root root 1.4K Sep 19 14:56 000-default.conf
-rw-rwxr--+ 1 root root 6.2K Sep 19 14:56 default-ssl.conf
-rw-rwxr--+ 1 root root 1.4K Dec  8 02:57 mywebpage.com.conf
-rw-rwxr--+ 1 root root 1.4K Dec  7 19:07 testpage.com.conf

Configuring Default ACLs

Default ACL can only be configured for a directory. To set a default ACL, add 'd:' before the rule and specify a directory instead of a file name.

# setfacl -m d:o:rwx /etc/apache2/sites-available/

Configuring ACL for group

Run the setfacl command with below format to set ACL to the following file. In the below example, we will be going to assign a rwx access to appdev group to the ‘/etc/apache2/apache2.conf’ file.

# setfacl -m g:appdev:rwx /etc/apache2/apache2.conf

Details :

  • g: Indicate a group

For multiple users and groups, just add comma between the users and groups as shown below:

# setfacl -m u:magi:rwx,g:appdev:rwx /etc/apache2/apache2.conf

How to remove ACL

Run the setfacl command with '-x' option to remove ACL for a given user to the file as shown below. This will remove only user permissions and keep mask values as read only.

# setfacl -x u:magi /etc/apache2/apache2.conf

Details :

  • -x: Remove entries from the ACL(s) of file(s)

Now, run the getfacl command to check whether the ACL value is removed for user ‘magi’.

Yes, it is successfully removed as per the below output and you can see that it keeps the mask values as read only:

# getfacl /etc/apache2/apache2.conf

# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--

Use -b option to remove all ACLs associated to a file as shown below:

# setfacl -b /etc/apache2/apache2.conf

Details :

  • -b: Remove all extended ACL entries

Now, run the getfacl command once again to check if all ACL values were removed.

We can see that everything is gone as per the below output:

# getfacl /etc/apache2/apache2.conf

# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--

How to backup and restore ACL?

Run the following command to backup and restore ACL values. To take a backup, navigate to corresponding directory and do it.

We are going to take a backup of sites-available folder. Use below commands to do it:

# cd /etc/apache2/sites-available/
# getfacl -R * > acl_backup_for_folder

To restore it, run the following command:

# setfacl --restore=/etc/apache2/sites-available/acl_backup_for_folder

Conclusion

In this tutorial we’ve shown you how to configure Access Control Lists (ACLs) in Linux with several examples. Now, we hope you can configure ACL on your Linux system for various administrative tasks.

Feel free to leave a comment below, and we will respond to you as soon as possible.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

2 Comments on “How to configure ACL (Access Control Lists) in Linux”

  1. Hi Magesh ..
    Would you please move the social tab bar to the right side of your web page? It blocks a lot of the text on the left ..

Leave a Reply

Your email address will not be published. Required fields are marked *