Linux 101 : Access Control Lists ( ACL ) - getfacl, setfacl -

Access control lists:

Access control lists (ACL) can be viewed as an extension to the
conventional Linux discretionary access control (DAC).

When displaying the ACL attributes of a file, we get for example
the below output:

We could see for the above results that the ACL is not set for the
file "file".

Depending on the system, ACL is either set by default or not.

ACL-enabled partitions:

We can check if the ACL is set on a partition "sda1" for example, using the below command, then we check the mount option in the output:

We can set ACL on a partition using :

-o : to introduce then mount options for the partition.

"/etc/fstab" and ACL:

We can set the ACL option in the "/etc/fstab" file as below:

For the changes to take effect, we use the below command to remount the partition with ACL enabled:

An example of ACL:

We can see that the user "debian" has "read" and "write"
Member of the group "debian-group" can only read the file.

The owner "debian" can give rights for example to "Albert" to "read", "write" and "execute" the file "file_acl" using the below command:

-m: means 'm'odify

We can check the changes using the below command:

We would also need to set the right access permissions for Albert for the directory containing the "
file_acl" fileso that he could see the "file_acl" in the "debiandirectory:

To apply the same rights for a user across a whole directory, we use
the "-R" option as below:

Removing ACL rights:

We could use the below command to remove ACL rights:

The above command deletes the "read" rights of the user Albert on the "file_acl".

We could remove all rights from user Albert using the
below command:

Or we could use the below command to remove all ACL of the file "file_acl" for the user Albert:

Groups and rights:

We could also give "read" and "write" rights to the members of the group "debian-group" for the file "/home/debian/file_acl" for example using the below command:

Setting up rights for "others":

We can give "others", "read" and "write" permissions using the below command:

Setting up reading rights for a directory:

To be able to list the contents of a directory, we can give the
user "Albert" the below rights:

The "ls" command and ACLs:

We know that a file has ACL enabled, when we see "+" sign appended to the (DAC) rights, when we run the "ls" command as below:

ACL masks:

ACL masks limit the rights that could be given to files or directories. 


The only permissions that could be given using the setfacl
command are "read" or "write" permission.

We can also display the "mask" using the below command:


Leave as a comment: