Access control lists (ACLs) provide more granular control over file and directory permissions than standard Linux permissions. ACLs allow administrators to define permissions not only for the file owner, group owner, and world, but also for specific users and groups. This enables more complex and targeted permission settings.
On a Linux system, each file and directory has assigned ownership and permissions. The owners may be the user who created the file or a specified user. There are three basic permission types – read, write, and execute. The standard Linux permissions model provides the ability to set permissions for the owner, the owning group, and everyone else (referred to as “world”). But sometimes administrators need more granular control over permissions than is provided by this model.
For example, consider a situation where multiple users belong to the same group but need different permissions on a particular shared file. The standard Linux permission model would only allow setting one permission setting for the entire group. In this case, access control lists (ACLs) can provide the ability to set different permissions for specific group members.
What are ACLs?
ACLs, or access control lists, are an expanded permissions capability built on top of standard Linux permissions. With ACLs, administrators can define permissions for additional users and groups other than simply the file owner, group owner, and world. This provides more granular control for managing permissions.
Some key advantages of ACLs include:
- Ability to set permissions for any user or group, not just file owner, group owner, and world.
- Fine-grained control for managing permissions on shared files and directories.
- Better security by enabling more targeted permissions.
ACLs add additional access control entries (ACEs) to the standard read, write, execute (rwx) permissions. With ACLs, it is possible to define permissions like “user John can read and write, user Jane can only read” on a shared file rather than simply setting global permissions for a group.
Types of ACLs
There are two primary types of ACLs on Linux systems – access ACLs and default ACLs.
Access ACLs
Access ACLs define permissions for specific users and groups to access a particular file or directory. They allow additional permissions to be set beyond the file owner, group owner, and world permissions. Access ACLs are defined and modified using commands like setfacl and getfacl.
Default ACLs
Default ACLs define default permissions that will automatically apply to new files and sub-directories under a directory. For example, a default ACL could make new files under /home/project readable by the additional users John and Jane. Default ACLs streamline setting permissions for hierarchies of files. They are defined and modified using commands like setfacl with the -d option.
Benefits of ACLs over Standard Linux Permissions
Using ACLs provides several benefits over relying solely on standard Linux permissions.
More Granular Control
The main benefit of ACLs is the ability to specify permissions for any individual user or group, rather than only the file owner, group owner, and world. This enables assigning permissions with precision not possible with standard Linux permissions. For example, ACLs permit allowing one user read access, another user read-write access, and other users no access on the same file.
Better Security
By enabling more granular permission assignments, ACLs improve security on a Linux system. Permissions can be applied strategically to give users and groups access only to files and directories they require for their role. Unnecessary access can be eliminated more thoroughly by setting targeted ACLs.
Permission Inheritance
Default ACLs make managing permissions easier and more scalable by enabling permissions inheritance for new files and subdirectories added under a directory with a default ACL applied. This improves consistency and reduces administrative effort as an ACL only needs to be defined once rather than reapplied for every new file.
Permission Isolation
In situations where standard group permissions are not specific enough, like shared group directories, ACLs provide isolation between group members by allowing different permissions for each user within a shared group. This eliminates granting unnecessary access to files just because users belong to the same group.
Linux ACL Examples
Here are some examples of using ACLs to provide more granular file and directory permissions than possible with standard Linux permissions:
Shared Group Directory
Say there is a /sales directory shared by a sales group with write permission. But only Sales Managers need write access while other Sales staff need read-only. Instead of granting write to the entire sales group, ACLs can enable this:
# file: /sales # owner: salesmgr # group: sales user::rwx # salesmgr has rwx permissions as owner group::r-x # sales group has r-x permissions by default user:alice:r-- # alice has read only access user:bob:r-- # bob has read only access
Department Shares
Consider files under /company/docs shared across departments. Marketing may need rw on marketing docs and Sales may need rw on sales docs. ACLs can selectively grant access:
# file: /company/docs/marketing.doc # owner: jsmith # group: docs user::rw- group::r-- mask::rw- other::--- user:jsmith:rw- group:marketing:rw- # file: /company/docs/sales.doc # owner: jsmith # group: docs user::rw- group::r-- mask::rw- other::--- user:jsmith:rw- group:sales:rw-
Default ACLs on Directory
If new files under /mnt/data should be readable by banana_app, a default ACL can be set:
# directory: /mnt/data # owner: admin # group: root user::rwx group::r-x other::r-x default:user::rwx group::r-x other::r-x user:banana_app:r--
Managing ACLs on Linux
Now that we’ve seen examples of how ACLs can provide more granular control, let’s look at how to actually implement ACLs and manage them on a Linux system using common tools.
ACL Support
First, the Linux filesystem must support ACLs. Many popular filesystems like ext4, xfs, btrfs, and ocfs2 support ACLs. To determine if a filesystem has ACL support enabled, use:
tune2fs -l /dev/sda1 | grep "Default mount options:"
The acl option indicates ACL support is enabled. For xfs, use xfs_info to check for ACLs under “features”.
Setting an ACL
Once we have a supported filesystem, we can define an ACL with the setfacl utility. Use the -m option to add new ACEs. For example:
setfacl -m user:john:rw- /shared/docs
This grants user John read-write access to the /shared/docs directory. We can verify with:
getfacl /shared/docs
Default ACLs
To define a default ACL, add the -d flag to setfacl. For example:
setfacl -d -m user:john:r-x /project
This sets a default ACL on /project to give user John read and execute permissions on new files in that directory.
Removing ACLs
To remove an ACL, use the -x flag on setfacl. For example:
setfacl -x user:john /shared/docs
This removes user John’s ACL entry from /shared/docs.
Mask Permissions
ACL mask permissions limit the effective permissions granted by all ACL entries. The mask is set to the group permissions by default. This prevents ACL entries from granting more access than the group permissions.
The mask can be modified by adding a mask entry. For example:
setfacl -m mask::r-x /project
This sets the mask on /project to read and execute, limiting access granted by other ACL entries.
ACL Use Cases
Now that we’ve looked at how to manage ACLs, let’s examine some common use cases where ACLs provide greater flexibility than standard Linux permissions.
User Home Directories
ACLs can enable admins to grant restricted access to user home directories for backup purposes or HR needs while maintaining the user’s normal ownership and permissions through standard Linux permissions.
Web Servers
On web servers, ACLs can selectively grant read access to web content without providing full group/world permissions. This enhances security over normal group permissions.
Network File Shares
ACLs allow managing network file share permissions at a granular level by providing permissions to specific remote users rather than rely on broad group and world permissions.
Application Access
ACLs can provide a lightweight permissions system for applications to control user access to application data files in a simple and flexible manner.
Compatibility Considerations
When working with ACLs, there are some compatibility considerations to keep in mind:
- NFS Shares – For ACLs to work properly on NFS shares, both server and client must have ACL support enabled.
- Windows – Samba has support for interoperability with Windows ACLs for improved cross-platform file sharing.
- RedHat/CentOS 7 – There are some ACL behavior changes between major versions that could impact scripts and tools.
- Backup/Restore – ACLs may not persist when backing up and restoring filesystems, additional steps may be needed.
So administrators and developers should be aware of these details when utilizing ACLs across different environments.
Simplified Permission Management
Overall, ACLs provide greater granularity than standard Linux permissions by enabling administrators to define custom permissions for any user or group. This helps improve security through least privilege access while also streamlining permission management.
Some key advantages of ACLs include:
- Specify permissions for individual users within a shared group
- Isolate access between departments for shared directories
- Grant limited access for backup scripts and HR purposes
- Set default inherited permissions on subdirectories
- Enhance permissions for network file shares and web servers
ACLs enable managing permissions in a more logical and simplified manner than possible with standard Unix permissions. They are a built-in access control mechanism that provides great power and flexibility without added complexity.
Conclusion
ACLs enhance Linux security and enable managing permissions at a finer grain than standard Linux permissions. They allow administrators to exercise access control based on individual users and groups. ACLs provide many advantages including:
- More granular permissions for shared files and directories
- Ability to provide permissions isolation between users in a group
- Simplified permission inheritance through default ACLs
- Flexibility in granting application and script access
- Better least privilege security through targeted permissions
ACLs enable advanced Linux permission management while transparently integrating with standard Unix permissions. Administrators can exercise fine-grained control to enhance security and access as needed through a built-in Linux capability.