Access Control List - ACLs

To improve the well known Linux permission schema ugo/rwx, allowing us to set distinct permission for different individual users or groups we can leverage the Access Control List - ACL.

Requirements

The filesystem where the files you want to set ACL are stored must be mounted with ACL support. You can check that by running:

mount /dev/xvda1 | grep attr
/dev/xvda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

We can see the attr2 which indicates that this filesystem supports extended attributes - ACLs. If you don't see that option for your filesystem or if you see the noacl, you can fix it in /etc/fstab adding or removing the appropriated options, and remounting the filesystem:

mount /dev/xvda1 -o remount

You can't remount the root / filesystem. You have to reboot your machine to get new options enabled.

Using ACLs

Imagine that we have these two groups and 5 users:

  • devs: euler, colleen, eric
  • ops: rodrigo, jonas

And we have a project folder that devs have full acess to it:

groupadd dev
groupadd ops
useradd euler
useradd colleen
useradd rodrigo
useradd jonas
usermod -aG devs euler
usermod -aG devs colleen
usermod -aG devs eric
usermod -aG ops rodrigo
usermod -aG ops jonas

mkdir /var/projectX
touch /var/projectX/main.py

chown -R euler.devs /var/projectX
chmod -R 770  /var/projectX

But what if we want to grant write access to a user that is not in devs group? We could create a new group that includes all necessary users, but it would get messy fast.

With ACLs we can grant individual users access to files and directories. Hence, to add write permission for jonas to main.py file:

setfacl -m u:jonas:rw /var/projectX/main.py
setfacl -m u:jonas:rx /var/projectX

Ok, jonas now has access to read and to enter in /var/projectX folder and also to write to main.py.

We can check for ACLs on a file by running getfacl command:


getfacl /var/projectX/main.py

getfacl: Removing leading '/' from absolute path names
# file: var/projectX/main.py
# owner: euler
# group: dev
user::rwx
user:jonas:rw-
group::rwx
mask::rwx
other::---

We can remove the above ACLs replacing -m for -x, or using -b to remove all ACLs from a file or directory:

setfacl -b /var/projectX

I hope you've learned a litte bit about Linux ACLs, you can learn more at Setting Access ACLs.

jisep ibuiom's photo

good post i like it