Digest #07 - Understanding Linux Access Control List
If you have used Linux systems, you are likely familiar with the standard read, write and execute permissions that can be assigned to files and directories.
However, the standard Linux perms only allow you to assign access rights to the owner, the owning group, and everyone else.
What if you want to give your colleague John permission to read a specific file without giving everyone else the same access? This is where access control lists (ACLs) come in handy.
For example, ACLs allow you to:
Give user John read access to file.txt
Give the marketing group write permissions for the sales-data directory
Revoke execute permissions from user Marie on
backup-script.sh
Listing ACLs on Files
To check if a file has an ACL set, use:
$ ls -l data.txt
The + symbol at the end of the permissions indicates an ACL has been set.
To see the ACL details, use getfacl:
$ getfacl data.txt
The getfacl output shows both the standard permissions and the ACL permissions set on the file.
Setting and Removing ACLs on Files:
To give James read write access to a file data.txt, run:
$ setfacl -m u:james:rw- data.txtAfter setting the user ACL, getfacl data.txt would display:
ACL allows you to also give permissions to groups. Here is an example setting group "managers" read and execute permission:
$ setfacl -m g:managers:r-x data.txtAfter setting the group ACL, getfacl data.txt would display:
To remove james's ACL permission, run:
$ setfacl -x u:james data.txtSetting Default ACLs on Directories
Default ACLs set on directories will be inherited by new files and sub-directories created within them.
To set a default ACL use the -d option:
$ setfacl -d -m u:james:rwx backups
Summing up
That covers the key concepts and usage of ACLs in Linux!
Thank you for making it this far. Hopefully, you will find this digest useful.
If you found this guide valuable:
Subscribe for more digests on Linux, sysadmin and DevOps
Like and share with other Linux folks