Overview
ACL provides flexible permission management beyond the traditional Unix permission model (owner, group, others). It allows explicit specification of access permissions for files or directories for specific users or groups. This is useful for meeting complex permission requirements in environments shared by multiple users.
Key Features
- Fine-grained permission control
- Granting permissions to specific users/groups
- Works in conjunction with default permissions (umask)
- Ability to set default ACLs for directories
Installation
While the `acl` functionality is built into the Linux kernel, the `acl` package needs to be installed to use the `getfacl` and `setfacl` commands. It may not be installed by default on most Linux distributions.
Debian/Ubuntu
sudo apt update && sudo apt install aclCommand to install the `acl` package on Debian or Ubuntu-based systems.
CentOS/RHEL/Fedora
sudo yum install aclCommand to install the `acl` package on CentOS, RHEL, or Fedora-based systems.
Usage Examples
ACLs are primarily managed through the `getfacl` (view ACLs) and `setfacl` (set ACLs) commands. Here are some common usage examples.
View ACL of a File
getfacl my_file.txtUse the `getfacl` command to check the current ACL of a specific file or directory.
Grant Read/Write Permissions to a Specific User
setfacl -m u:user1:rw my_file.txtUse the `setfacl -m` option to grant read (r) and write (w) permissions to 'user1' for 'my_file.txt'.
Grant Execute Permission to a Specific Group
setfacl -m g:dev_group:x my_script.shUse the `setfacl -m` option to grant execute (x) permission to the 'dev_group' for 'my_script.sh'.
Remove an ACL Entry
setfacl -x u:user1 my_file.txtUse the `setfacl -x` option to remove the ACL entry for 'user1'.
Set Default ACL for a Directory
setfacl -m d:u:user2:rwx my_directory/Set a default ACL for a directory so that newly created files or directories inherit specific ACLs. Use the `d:` prefix.
Remove All ACLs
setfacl -b my_file.txtUse the `setfacl -b` option to remove all extended ACL entries from a file or directory, reverting to traditional permissions.
Tips & Considerations
When using ACLs, it's important to understand their interaction with the traditional permission system.
ACLs and Traditional Permissions
- For files/directories with ACLs set, the `ls -l` output will have a `+` symbol at the end of the permission string.
- ACLs add additional permissions on top of traditional permissions (owner, group, others). The `mask` entry limits the maximum effective permissions of ACLs.
- Setting overly complex ACLs can make permission management difficult, so use them cautiously and only when necessary.
Understanding the mask Entry
When ACLs are set, a `mask` entry may be automatically created or updated. This `mask` defines the maximum effective permissions granted to user (u:), group (g:), named user (u:name:), and named group (g:name:) entries. Even if you try to grant more permissions than the `mask` allows, they will be limited by the `mask`. You can manually set the `mask` using commands like `setfacl -m m::rw`.
Filesystem Support
To use ACLs, the filesystem must support them. Most modern Linux filesystems like ext2, ext3, ext4, and XFS support ACLs. You may need to ensure the `acl` option is enabled when mounting the filesystem (e.g., in `/etc/fstab`).