Access Control List - ACLs

To improve the well known Linux permission schema ugo/rwx, allowing us to set distinct permission for different individual users or groups we can leverage the Access Control List - ACL.


The filesystem where the files you want to set ACL are stored must be mounted with ACL support. You can check that by running:

mount /dev/xvda1 | grep attr
/dev/xvda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

We can see the attr2 which indicates that this filesystem supports extended attributes - ACLs. If you don't see that option for your filesystem or if you see the noacl, you can fix it in /etc/fstab adding or removing the appropriated options, and remounting the filesystem:

mount /dev/xvda1 -o remount

You can't remount the root / filesystem. You have to reboot your machine to get new options enabled.

Using ACLs

Imagine that we have these two groups and 5 users:

  • devs: euler, colleen, eric
  • ops: rodrigo, jonas

And we have a project folder that devs have full acess to it:

groupadd dev
groupadd ops
useradd euler
useradd colleen
useradd rodrigo
useradd jonas
usermod -aG devs euler
usermod -aG devs colleen
usermod -aG devs eric
usermod -aG ops rodrigo
usermod -aG ops jonas

mkdir /var/projectX
touch /var/projectX/

chown -R euler.devs /var/projectX
chmod -R 770  /var/projectX

But what if we want to grant write access to a user that is not in devs group? We could create a new group that includes all necessary users, but it would get messy fast.

With ACLs we can grant individual users access to files and directories. Hence, to add write permission for jonas to file:

setfacl -m u:jonas:rw /var/projectX/
setfacl -m u:jonas:rx /var/projectX

Ok, jonas now has access to read and to enter in /var/projectX folder and also to write to

We can check for ACLs on a file by running getfacl command:

getfacl /var/projectX/

getfacl: Removing leading '/' from absolute path names
# file: var/projectX/
# owner: euler
# group: dev

We can remove the above ACLs replacing -m for -x, or using -b to remove all ACLs from a file or directory:

setfacl -b /var/projectX

I hope you've learned a litte bit about Linux ACLs, you can learn more at Setting Access ACLs.

OzellaBellard's photo

Access control is hit for the penetrating for the joys. The far-flung Ares of the do my algebra are halted for the cans. Modes we had for the use of the measured asps for the main and ideal has for the field.