POSIX Access Control Lists (ACLs) are more fine-grained access rights for files and directories. An ACL consists of entries specifying access permissions on an associated object. ACLs can be configured per user, per group or via the effective rights mask.
These permissions apply to an individual user or a group, and use the same as rwx found in regular permissions.
For an explanation of rwx, see FilePermissions
Enabling ACLs in the Filesystem
Before beginning to work with ACLs the file system must be mounted with ACLs turned on. This can be done in /etc/fstab for the changes to be permanent.
0) It may be necessary to install acl utilities from the repositories. In the Server Edition, this must be done, but in the desktop editions acl is installed by default.
$ sudo apt-get install acl
1) Add the option acl to the partition(s) on which you want to enable ACL in /etc/fstab. For example:
... UUID=07aebd28-24e3-cf19-e37d-1af9a23a45d4 /home ext4 defaults,acl 0 2 ...
As of Ubuntu 14.04 and for ext4, the above is not required as acl are already default:
sudo tune2fs -l /dev/sdaX |grep acl Default mount options: user_xattr acl
2) If necessary, remount partition(s) on which ACLs were enabled for them to take effect. For example:
$ sudo mount -o remount /home
3) Verify that ACLs are enabled on the partition(s):
$ mount | grep acl
ACL Entries
ACL entries consist of a user (u), group (g), other (o) and an effective rights mask (m). An effective rights mask defines the most restrictive level of permissions. setfacl sets the permissions for a given file or directory. getfacl shows the permissions for a given file or directory.
Defaults for a given object can be defined.
ACLs can be applied to users or groups but it is easier to manage groups. Groups scale better than continuously adding or subtracting users.
Listing ACLs
The utility getfacl lists the ACLs for a given file or directory.
$ getfacl /var/www getfacl: Removing leading '/' from absolute path names # file: var/www # owner: root # group: root user::rwx group::r-x group:green:rwx mask::rwx other::r-x
This following ACL also has defaults set:
$ getfacl /var/www getfacl: Removing leading '/' from absolute path names # file: var/www # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:green:rwx default:mask::rwx default:other::r-x
Adding a Group to an ACL
The utility setfacl is used to add the groups blue and green to the ACL for the directory /var/www.
$ sudo setfacl -m g:green:rwx /var/www/ $ sudo setfacl -m g:blue:rwx /var/www/ $ sudo getfacl /var/www/ getfacl: Removing leading '/' from absolute path names # file: var/www/ # owner: root # group: root user::rwx group::r-x group:green:rwx group:blue:rwx mask::rwx other::r-x
Removing a Group from an ACL
The option -x removes groups or users from a given ACL. Below, the group green is removed from the directory /var/www.
$ setfacl -x g:green /var/www
Transfer of ACL attributes from a specification file
Transfer of ACL attributes from a specification file takes two steps. In this example, the specification file is called acl.
First, create a file containing the ACL to be used.
echo "g:green:rwx" > acl
Then, read the contents of the file into setfacl to set the ACL for directory /path/to/dir
setfacl -M acl /path/to/dir
Output from getfacl is accepted, when reading from files using -M.
Copying ACLs from one file or directory to another
Copy an ACL from dir1 to dir2 uses the -M option. Output from getfacl is accepted as input for setfacl when using -M.
getfacl dir1 | setfacl -b -n -M - dir2
-b clear ACLs, -n do not recalculate effective rights mask, - read from stdin
Or it can be done like this:
getfacl file1 | setfacl --set-file=- file2
Copying an ACL into the Default ACL
Once the ACLs are the way they need to be, they can be set as the default. Defaults are inherited, so a new directory will inherit the defaults of the parent directory.
getfacl -a /path/to/dir | setfacl -d -M- /path/to/dir
References
Redeeman's Wiki. "Access Control Lists"
Linux Gazette. "Joey's Notes: Access Control Lists"
Relevant manual pages: