Sysadmin Linux Theory

ACLs

Understanding and implementing Access Control Lists for granular file and directory permissions beyond standard Unix permissions

Access Control Lists (ACLs) extend traditional Unix file permissions by allowing more granular access control. While standard permissions only support owner, group, and others, ACLs enable setting permissions for multiple users and groups on the same file or directory.

Key Concepts

  • Extended Attributes: ACLs are stored as extended file attributes
  • Named Users/Groups: Grant permissions to specific users/groups beyond the owner
  • Default ACLs: Inherited permissions for new files in directories
  • Effective Permissions: Combination of traditional and ACL permissions
  • Mask: Controls maximum permissions for named users/groups

Command Syntax

setfacl [options] permissions file/directory getfacl [options] file/directory

  • setfacl - Set or modify ACL permissions
  • getfacl - View current ACL permissions

Common Options

setfacl options:

-m - Modify ACL entries -x - Remove specific ACL entries
-b - Remove all extended ACL entries -d - Set default ACLs for directories -R - Apply recursively -k - Remove default ACLs only

getfacl options:

-d - Display default ACLs -R - Show ACLs recursively -t - Use tabular output format

Practical Examples

Example 1: Grant user read/write access 

1
2

setfacl -m u:alice:rw- /home/shared/file.txt
getfacl /home/shared/file.txt

Gives user ‘alice’ read/write permissions on the file

Example 2: Grant group permissions 

1
2

setfacl -m g:developers:rwx /home/projects/
ls -l /home/projects/

Notice the ‘+’ symbol indicating ACLs are present

Example 3: Set default ACLs for directory 

1
2

setfacl -d -m u:bob:rx /home/shared/
setfacl -d -m g:staff:rwx /home/shared/

New files inherit these permissions automatically

Example 4: Multiple ACL entries at once 

1

setfacl -m u:alice:rw-,g:admins:rwx,o::r-- file.txt

Sets permissions for user, group, and others simultaneously

Example 5: Remove specific ACL entry 

1

setfacl -x u:alice /home/shared/file.txt

Removes alice’s ACL entry, reverting to standard permissions

Use Cases

  • Multi-user projects: Grant different access levels to team members
  • Shared directories: Control who can read/write/execute files
  • Service accounts: Give applications specific file access
  • Temporary access: Grant time-limited permissions without changing groups
  • Complex hierarchies: Different permissions for subdirectories

ls -l - Shows ‘+’ symbol when ACLs are present chmod - Traditional permission changes (may affect ACLs) chown - Change file ownership umask - Default permission mask

Tips & Troubleshooting

Common Issues:

  • Filesystem support: Ensure filesystem supports ACLs (ext2/3/4, XFS)
  • Mount options: May need acl mount option
  • Backup considerations: Not all backup tools preserve ACLs
  • Performance: ACLs add slight overhead to file operations

Best Practices:

  • Use getfacl file | setfacl --set-file=- newfile to copy ACLs
  • Always test ACL changes with non-critical files first
  • Document ACL policies for system maintenance
  • Regular audits of ACL permissions for security

Checking ACL Support: 

1
2
3
4
5

# Check if filesystem supports ACLs
tune2fs -l /dev/sda1 | grep acl

# Check current mount options
mount | grep acl

Effective Permissions:

Remember that effective permissions are the intersection of:

  • Traditional Unix permissions
  • ACL permissions
  • ACL mask value

The most restrictive permission applies.