Access Control List - ACLs
To improve the well known Linux permission schema
rwx, allowing us to set distinct permission for different individual users or groups we can leverage the Access Control List - ACL.
The filesystem where the files you want to set ACL are stored must be mounted with ACL support. You can check that by running:
mount /dev/xvda1 | grep attr /dev/xvda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
We can see the
attr2 which indicates that this filesystem supports extended attributes - ACLs. If you don't see that option for your filesystem or if you see the
noacl, you can fix it in
/etc/fstab adding or removing the appropriated options, and remounting the filesystem:
mount /dev/xvda1 -o remount
You can't remount the root
/filesystem. You have to reboot your machine to get new options enabled.
Imagine that we have these two groups and 5 users:
And we have a project folder that
devs have full acess to it:
groupadd dev groupadd ops useradd euler useradd colleen useradd rodrigo useradd jonas usermod -aG devs euler usermod -aG devs colleen usermod -aG devs eric usermod -aG ops rodrigo usermod -aG ops jonas mkdir /var/projectX touch /var/projectX/main.py chown -R euler.devs /var/projectX chmod -R 770 /var/projectX
But what if we want to grant write access to a user that is not in
We could create a new group that includes all necessary users, but it would get messy fast.
With ACLs we can grant individual users access to files and directories. Hence, to add write permission for jonas to
setfacl -m u:jonas:rw /var/projectX/main.py setfacl -m u:jonas:rx /var/projectX
jonas now has access to read and to enter in
/var/projectX folder and also to write to
We can check for ACLs on a file by running
getfacl /var/projectX/main.py getfacl: Removing leading '/' from absolute path names # file: var/projectX/main.py # owner: euler # group: dev user::rwx user:jonas:rw- group::rwx mask::rwx other::---
We can remove the above ACLs replacing
-x, or using
-b to remove all ACLs from a file or directory:
setfacl -b /var/projectX
I hope you've learned a litte bit about Linux ACLs, you can learn more at Setting Access ACLs.