The standard Linux permissions are suitable for most situations but they have their own limitations. The standard permissions limit access to file owner, group owner and others. But, what-if we want to grant specific permission to another named user, other than the user-owner or another named group other than the group-owner. Access Control List (ACL) allows us to set these fine grained permissions.
Consider an example:
For the file data.txt
user-owner is baljit, having permissions rwx
group-owner is Linux having permissions rw-
others have permission r–
Now, can we grant a named-user Ricky, rw- permissions on this file (without making him the user-owner)?
Can we grant another named-group Guest, rwx permissions on this file while keeping the group-owner same?
To achieve these, we have to use Access Control List and learn the use of setfacl and getfacl commands.
The ls -l command shows minimal ACL settings. A ‘+’ sign at the end of the permissions means that ACL is set on the file or directory.
So, the best way to view ACL settings is to use the getfacl command
#file : name of file/directory (practice)
#owner: name of user-owner (Rohit)
#group: name of group-owner (Linux)
user: User-owner permissions (rw- for Rohit)
user:Virat: permissions for named-user Virat (none)
group:Group-owner permissions (r– for members of Linux group)
group:project1: permissions for members of named-group project1 (rw-)
mask: maximum effective permissions for group-owner, named-group and named-user (rw-)
other: permissions for others (r–)
The setfacl command is used to add, modify or delete standard ACL permissions on files and directories.
$setfacl -m u:name:permissions file
If the name is kept empty, the permissions are applied to file-owner. The name can be username or UID.
Note: ACL user-owner and standard user-owner settings are equivalent. So, using chmod and setfacl to change user-owner permissions will have the same effect.
$setfacl -m g:name:permissions file
If the name is kept empty, the permissions are applied to group-owner. The name can be group-name or GID.
Note: chmod has no effect on any group permissions if ACL is set on the file or directory. chmod will update the ACL mask. So, to change group permissions if ACL is set use the setfacl comamnd only.
$setfacl -m o::permissions file
Note: ACL other and standard other settings are equivalent. So, using chmod and setfacl to change other permissions will have the same effect.
Recurring ACL are used when you want to change the ACL settings for all the files and sub-directories along with those of the directory itself.
Before setting Recursive ACL
After setting Recursive ACL
It is clear from the output that ACl is set on the directory D_set as well on the files and sub-directories within it. Another point to note here is the use of ‘X’ while setting ACL. Using ‘X’ will give execute permission on all sub-directories but not on regular-files (unless if already exists)
Recursive ACL works on on existing files and directories. For setting default ACL settings for future files and sub-directories that you want to create use
$setfacl -m d:u:name:permission directory $setfacl -m d:g:name:permission directory
Note: While setting default ACL on a directory, ensure that the users get execute permission on the new directories otherwise they will not be able to access the directory content. So, use ‘X’ as a permission
Example: In the below example, default ACL is set on D_set directory which allows Virat user read and execute permission. The same is verified by creating a new file and viewing its ACL settings
An explicit mask can be defined for named-users, group-owner and named-groups. Mask will restrict any permission that exceed the mask i.e., even if a named-group has higher permission than the mask it will not be able to use those. For example,
The mask set is r– on D_set directory. Now, even though the named-group project1 is having rwx permissions but the members of project1 will only be able to read the contents. That’s why the #effective:r– comment is written in front of named-user, group-owner and named-group.
To delete a particular ACL setting use the -x option
$setfacl -x u:name file
$setfacl -x g:name file
To delete all ACLs at once use -b option
$setfacl -b file
Consider a directory Linux. Only, members of Section group have access to this directory. Now, assign full permission to Class group also. Manoj, a member of the Class group, has misbehaved and it has been decided that he be denied access to the directory.
Your task is to assign the appropriate ACLs to Linux and its contents, so that members of Class group have full access except Manoj who is denied any access. Also, ensure that future files and sub-directories inside Linux get appropriate ACLs applied.