||<>|| POSIX Access Control Lists (ACLs) are more fine-grained access rights for files and directories. An ACL consists of entries specifying access permissions on an associated object. ACLs can be configured per user, per group or via the effective rights mask. These permissions apply to an individual user or a group, and use the same as '''`rwx`''' found in regular permissions. For an explanation of '''`rwx`''', see FilePermissions = Enabling ACLs in the Filesystem = Before beginning to work with ACLs the file system must be mounted with ACLs turned on. This can be done in `/etc/fstab` for the changes to be permanent. 0) It may be necessary to install [[apt://acl|acl]] utilities from the repositories. In the Server Edition, this must be done, but in the desktop editions '''acl''' is installed by default. {{{ $ sudo apt-get install acl }}} 1) Add the option acl to the partition(s) on which you want to enable ACL in `/etc/fstab`. For example: {{{ ... UUID=07aebd28-24e3-cf19-e37d-1af9a23a45d4 /home ext4 defaults,acl 0 2 ... }}} As of Ubuntu 14.04 and for ext4, the above is not required as acl are already default: {{{ sudo tune2fs -l /dev/sdaX |grep acl Default mount options: user_xattr acl }}} 2) If necessary, remount partition(s) on which ACLs were enabled for them to take effect. For example: {{{ $ sudo mount -o remount /home }}} 3) Verify that ACLs are enabled on the partition(s): {{{ $ mount | grep acl }}} = ACL Entries = ACL entries consist of a user (u), group (g), other (o) and an effective rights mask (m). An effective rights mask defines the most restrictive level of permissions. `setfacl` sets the permissions for a given file or directory. `getfacl` shows the permissions for a given file or directory. Defaults for a given object can be defined. ACLs can be applied to users or groups but it is easier to manage groups. Groups scale better than continuously adding or subtracting users. == Listing ACLs == The utility `getfacl` lists the ACLs for a given file or directory. {{{ $ getfacl /var/www getfacl: Removing leading '/' from absolute path names # file: var/www # owner: root # group: root user::rwx group::r-x group:green:rwx mask::rwx other::r-x }}} This following ACL also has defaults set: {{{ $ getfacl /var/www getfacl: Removing leading '/' from absolute path names # file: var/www # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:green:rwx default:mask::rwx default:other::r-x }}} == Adding a Group to an ACL == The utility `setfacl` is used to add the groups '''blue''' and '''green''' to the ACL for the directory `/var/www`. {{{ $ sudo setfacl -m g:green:rwx /var/www/ $ sudo setfacl -m g:blue:rwx /var/www/ $ sudo getfacl /var/www/ getfacl: Removing leading '/' from absolute path names # file: var/www/ # owner: root # group: root user::rwx group::r-x group:green:rwx group:blue:rwx mask::rwx other::r-x }}} == Removing a Group from an ACL == The option '''-x''' removes groups or users from a given ACL. Below, the group '''green''' is removed from the directory `/var/www`. {{{ $ setfacl -x g:green /var/www }}} == Transfer of ACL attributes from a specification file == Transfer of ACL attributes from a specification file takes two steps. In this example, the specification file is called `acl`. First, create a file containing the ACL to be used. {{{ echo "g:green:rwx" > acl }}} Then, read the contents of the file into `setfacl` to set the ACL for directory `/path/to/dir` {{{ setfacl -M acl /path/to/dir }}} Output from `getfacl` is accepted, when reading from files using -M. == Copying ACLs from one file or directory to another == Copy an ACL from ''dir1'' to ''dir2'' uses the '''-M''' option. Output from `getfacl` is accepted as input for `setfacl` when using '''-M'''. {{{ getfacl dir1 | setfacl -b -n -M - dir2 }}} '''-b''' clear ACLs, '''-n''' do not recalculate effective rights mask, '''-''' read from `stdin` Or it can be done like this: {{{ getfacl file1 | setfacl --set-file=- file2 }}} == Copying an ACL into the Default ACL == Once the ACLs are the way they need to be, they can be set as the default. Defaults are inherited, so a new directory will inherit the defaults of the parent directory. {{{ getfacl -a /path/to/dir | setfacl -d -M- /path/to/dir }}} = References = * [[http://brunogirin.blogspot.com/2010/03/shared-folders-in-ubuntu-with-setgid.html|Shared Folders in Ubuntu with setgid and ACL ]] * Redeeman's Wiki. "[[http://wiki.kaspersandberg.com/doku.php?id=howtos:acl|Access Control Lists]]" * ''Linux Gazette''. "[[http://linuxgazette.net/152/prestia.html|Joey's Notes: Access Control Lists]]" Relevant manual pages: [[http://manpages.ubuntu.com/manpages/precise/en/man5/acl.5.html|acl(5)]] [[http://manpages.ubuntu.com/manpages/precise/en/man1/setfacl.1.html|setfacl(1)]] [[http://manpages.ubuntu.com/manpages/precise/en/man1/getfacl.1.html|getfacl(1)]]