Access Control Lists(ACLs) in Linux

Β·

4 min read

Why ACL ?

Let's understand through a scenario;

a file acl.txt is created by root user, so both the owner and group will have the ownerships of root only.

now let's assume a user ankita part of developer group wants to modify the acl.txt file. Running vi acl.txt command she try to edit but she found that its showing "permission denied".

Then how to modify the file acl.txt ?πŸ€”

one thing what we can do is,

using chmod command we can change permissions to read + write for other class, so that user ankita can implement the modifications to acl.txt .

And also through chown we can assign the group developer as the owner of a acl.txt.

but waitπŸ€”

Changing the permissions to rw will give access to other users also which are on the system and even when we assign the developer group as an owner of file acl.txt, then also all the members of that developer group can access the files.

Now the situation becomes more complex, we can't give file's access to everybody, or assign the particular group to a file or a directory. Though we need to find a correct solution so that permissions should be granted specifically to user ankita of developer group.

Thus here comes the role of Linux Access Control List(ACLs)

What is ACL ?

ACL stands for Access Control List which allows more specific set of permissions to a file or directory without changing base ownerships. It allows you to set permissions for individual users or users of any groups even if they donot belongs to the original owners or groups.

  • Basically it was created so that regular users could share their files and directories selectively with other users and groups.

  • ACLs provide a more specific access control than linux file permissions.

  • With ACLs, a user can allow others to read, write, and execute files and directories without leaving those filesystem elements wide open or requiring the root user to change the user or group assigned to them.

ACLs are managed through two commands:-

  • getfacl

  • setfacl

In order to use ACLs command in terminal we need to be sure that whether the acl package is available on our terminal because in some Linux distros the package are not pre-installed, so We need to run the command and install the acl package.

$ apt install acl

getfacl

getfacl display the detail information such as file name, owner, the owning group, and the ACL Access Control List of a file or a directory. If a directory has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs.

$ getfacl <filename>

here the output summarises the standard permissions for the file acl.txt . The user and group are "root" and permissions for the owner called root (read + write), owning group called root (read) and for other users (read) .

While running getfacl command on a file with no ACLs the additional "mask value" line will not be shown and standard file permissions.

mask value is maximum allowable permissions for a user or group on a file/directory.

setfacl

In the above screenshot, we saw the current permissions about the file acl.txt . Now let'say we want to add permissions specifically for user ankita.

$ setfacl -m u:username:rwx <filename>

here

setfacl :- set the permissions

-m:- this attribute is used to modify permissions.

u:newuser:rwx :- specifies the user "newuser" and grants the permissions of read + write + execute to that user.

filename :- the file to which permissions are modified.

Now let'say we want to add permissions specifically for user ankita, then what we can do is,

$ setfacl -m u:ankita:rwx acl.txt

To verify that the ACL entries were added or modified, run the command

$ getfacl acl.txt

as you can see using setfacl command we granted the permision(r+w+x) to user ankita and now if the user ankita want to modify the file acl.txt then she can run vi acl.txt,

this time it is allowing to modify the file.

  • How to check If a file has an ACL???

$ ls -l <filename>

A "+" to the right of the permissions field indicates the file has an ACL.

now the user "ankita" can also access the file acl.txt for modications.

  • What if we want to grant permission to a different group instead of different user???

The syntax is almost same, only the option u is replaced by g .

$ setfacl -m g:groupname:rwx <filename>

  • What if we want to set multiple user and groups with single command???

$ setfacl -m u:user1:rw,u:user2:rwx,g:group1:rwx <filename>

example as shown below,

  • How to remove user

$ setfacl -x u:username <filename>

  • How to remove all ACLs associated to a file???

$ setfacl -b acl.txt

Conclusion

Though we came to end of this article, I hope this article has helped you to understand about access control lists on Linux, the getfacl and the setfacl command .

Hope you like this article. So Stay Tuned for the next article .

Thank you. Happy learning!πŸ“

And also don't forget to like and share this article.😎

Β