Skip to content

ACLs

Jump to bottom
Spring Ep edited this page Oct 6, 2020 · 2 revisions

ACLs allow us to grant fine-grained permissions to a file. Ordinary file permissions are limited to a file owner, membership of a single group, and others. With ACLs, apart from the standard permissions, we can grant permission flags (r,w,x) to named users and named groups.
As with the chmod we can use capital X, we can use the same option with setfacl.

X will allow you to grant execute/search only if the file is a directory or already has execute permission for some user.
To explain it a bit better: if a file is a directory, X will set its execute bit on; if it's just a regular file, it will check if any of the other execute bits are set to 1 (execute bits for user, group or other -> S_IXUSR, S_IXGRP, or S_IXOTH) and if there is at least one of them set to 1. X will be treated as x. If none of the execute bit is set, then this execute permission will be ignored.

Minimum ACL corresponds to the conventional permission bits; Extended ACL must contain mask entry and might contain permissions for named users and named groups.


Figure 1.1 How minimum ACL corresponds to conventional permission bits


Figure 1.2 How extended ACL corresponds to conventional perm. bits

Some file systems need to be mounted with acl option. For example, XFS has acl support enabled by default, while ext4 might need it to be specified in the mount options in /etc/fstab.

How to view the ACL options

ls -l <filename> lists the file contents with long format, but it only shows + sign at the end of permissions to indicate that the file has ACL set.

$ ls -l example1.txt

-rw-rwsr-T**+** 1 alice jack 0 9月 30 05:47 example1.txt

We should interpret this 10-character permission string as: user - Shows the user ACL settings which are same as the standard user file settings (this means that user file settings are not changed by the mask)
group - If the ACL is set, then these three bits show the current ACL mask settings for the group (yep, they show the value of the mask, really, why?); if extended ACLs are not set, they show the ordinary group permissions for that file. [3]
other

Mask settings show the max permissions possible for all named users, the group-owner and named groups. Mask doesn't affect the user-owner permissions.
If a file has an extended ACL set, chmod g+rw will only affect the mask, it wouldn't change the group-owner permissions. In order to manipulate group-owner permissions, you should use setfacl -m g::rwx <file-name>.

ACL on directories

When we apply ACLs to directories, the logic is the same as for the files, but we there are two additional options:

  1. you can set execute permission on a directory - when a directory has the execute permission bit set, it means that its contents can be searched.

  2. you can set default permissions - default permissions are inherited by other files and directories that are created inside that primary directory which has a default ACL set.
    If default permission is default:user::rwx,it means that file owner will get read/write on new files and execute permission on new subdirectories.
    If ACL contains default:group:sodor:r-x, sodor will get rx -> read-only on new files and execute on new subdirectories.

Default ACL mask entry default:mask::rwx sets default settings for:

  • named user ACL
  • group-owner ACL
  • named group ACL shows that initial maximum permission possible for new files and subdirectories that have name

Sources:

  1. https://docs.oracle.com/cd/E19455-01/805-7229/6j6q8svdb/index.html
  2. https://unix.stackexchange.com/questions/147499/what-relationships-tie-acl-mask-and-standard-group-permission-on-a-file
  3. https://www.pks.mpg.de/~mueller/docs/suse10.1/suselinux-manual_en/manual/sec.acls.handle.html
Clone this wiki locally