How-To: Setting Up ACLs On Linux (Access Control Lists)

There comes a time in a man’s life whe….whoops, wrong talk! Ok ok, so this is about Access Control Lists. Get your mind out of the gutter. That said, you will find sometimes, setting permissions for the owner, group, or “other” groups is not enough, and you need some finer control. Enter the ACL.

ACL You Say?

ACL, Access Control Lists, are a way to fine tune, and go beyond standard permissions control on Linux.  The issue many times does not crop up for a home user, but there are plenty of situations where you would run into this in the enterprise.  I won’t go over more in-depth concepts such as SELinux and PAM, but rather describe the extra step in control.

There are two types of ACLs: access ACLs and default ACLs.  An access ACL is a type of control list for a specific file or directory.   On the flipside, a default ACL can only be applied to a directory.  Where the later comes into play, is if a file within the directory does not have an access ACL, it will use the rules of that default ACL.  Think of a default ACL as “inherited permissions.”  Take note default ACLs are optional

Why would I need this?

There are many times in the enterprise you would want to fine tune your permissions, but what about home users?  I actually came across this recently, when I wanted to allow someone to be able to write to a directory, but I did not want to add them to a existing group or make a special group just for one user.  While that is doable, I said “Why not just set an ACL for the file?”  So I did, and now I have fine control over how they can read, write, and modify specific files in a directory.  This amount of control is actually quite nice.

So What do ACLs do?

ACLs use a standard POSIX (Portable Operating System Interface) set of standards to create powerful management model, extending over what most users have.  Sure, we all know chmod and chown, but not many home users know of or use setfacl.  setfacl is a utility to set those control lists for any file or directory.  ACLs can be configured per user, per group, via the effective rights mask, or for users not in the user group for a particular file.

The Basics

Setting up an ACL is not all that hard.  It may sound like a daunting task, but is not harder than heading into the properties of a Windows file and adding users and groups.  The m optoin tells setfacl to add or modify the ACL of a file or directory.


setfacl -m rules files<

The rules available are

u:uid:perms     Sets the access ACL for a user.  You may use the uid or username for the second field.  To find you uid, simple enter ‘id your_username‘ in your Terminal window.

g:gid:perms     Sets the access ACL for a group.  Again, like uid, the gid or actual group name can be used.

This sets the effective rights mask.  This is effectively a combination of the permissions of the owning group and all the user and group entries.

This option sets the access ALC for users other than the ones in the group for the file

Setting The Permissions

To actually set the permission, let’s look at an example I did today:

setfacl -m u:btsync:rw /home/mikeyd/Documents

In this example, we gave the bysync user direct read and write access to the Documents folder under my home drive.  On the other side of this, we can use the -x options instead of the -m option to remove that access.   This comes in handy when you want to remove, say execute access for your entire group as such:

setfactl -x u:annoying_person /secret/projects

Setting The Default ACL

Setting the default ACL is quite easy, once you understand the above concepts.  You simple need to prefix your rule with the letter d to denote the “directory” default ACL:

 setfacl -m d:o:rx /my/share

Oh No!  I forgot What ACL I Set!

Have no fear ordinary citizen!  Simple make use of the ‘getfacl’ command like so:

getfacl /path/to/file/or/directory/example.png

The command will then show you the file name in question, the owner, the group, and what permissions are active on the folder or file.  If per chance a directory is queried that has default ACL setup, you will see the “default:” prefix at the end of the preceding output.

An example illustration:

file: /my/directory/
owner: mike
group: users

There you have it, a basic overview of ACLs, and how to set and view them.  If you have any questions or have a correction to this information, please let me know!


About professorkaos64

Posted on 20131120, in Administration, Security and tagged , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s