Home >> Software >> Access Control Lists

Access Control Lists (ACL)

Nov 2006

• Introduction - Access Control Lists
• Kernel Support
• Mounting the Filesystem
• Tools
• Notes and Pitfalls

Introduction - Access Control Lists

Access Control Lists or ACL, are often times over looked in the Linux world. Very often the default permissions of owner, group, and other is sufficent. If you have a larger group of users or want more control over your files then something more flexable is needed. ACL provide all the flexibility and fine tuned control over files and directories.

Kernel Support

Before we begin using ACL, you must have support compiled into your kernel. If you are manually compiling the kernel then the following would need to be enabled.

Ext3

[*]     Ext3 POSIX Access Control Lists

ReiserFS

[*]     ReiserFS POSIX Access Control Lists

NFS Also alows for ACL

[*]     Provide client support for the NFSv3 ACL protocol extension

For manually editing .config

CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=y

Recompile and reboot with your ACL fs enabled kernel.

Mounting the Filesystem

Once the Kernel has support for ACL, the file system must be mounted with ACL support. This is accomplished by adding acl to the file system type in the fstab.

/dev/sda6	/home  reiserfs		user_xttr,acl  0 0

Tools

ACL extend the normal permissions on files and directories. They do not always replace the normal permissions given by chown, chgrp, and chmod. There is another set of tools used to modify the ACL attributes. These tools can be found at http://oss.sgi.com/projects/xfs/. Or if you have Gentoo Linux, simply emerge sys-apps/acl.

The main tools used are:

• chacl - Change the access control list of a file or director
• getfacl - Get file access control lists
• setfacl - Set file access control lists

To start, make a directory called test.

$ mkdir test
$ ls -ld test
drwxr-xr-x 2 gwatson users 48 Nov  6 11:16 test

The standard owner has full access to the file. (Read/Write/Execute) Group and other have read and execute. This is the standard model for file and directory permissions. To see what the extened permissions via ACL are, use getfacl.

$ getfacl test
# file: test
# owner: gwatson
# group: users
user::rwx
group::r-x
other::r-x

As reported, only the default permissions exist on this new file. Using setfacl, many other layers can be added.

$ setfacl -m u:jdoe:rwx test
$ setfacl -m g:video:rwx test
$ getfacl test
# file: test
# owner: gwatson
# group: users
user::rwx
user:jdoe:rwx
group::r-x
group:video:rwx
mask::rwx
other::r-x

In the above example, we now have given user jdoe and users in the group video read, write, and execute permission to the directory test. Unlike normal file permissions, you are not limited to only three permission groups. You can also tell the directory has exteneded permission with the ls command.

drwxrwxr-x+ 2 gwatson users 48 Nov  6 11:16 test

Note the + (Plus) after the normal directory permissions.

Notes and Pitfalls

There are some pitfalls with using ACL. While many programs support ACL as an option such as vim, many cirtical ones like tar do not. There are some work arounds such as using getfacl -R dumpped to a file and including it in the tarball. Then using setfacl --restore=aclfile to re-assign ACL permissions. Other tools such as star is an enhanced version tar that supports ACL.