Linux Security 101 : Access Control Lists - ACLs -

Access control lists - ACLs - give us more options in terms of controlling access to files.

For example, using ACLs, if we want to give access 
to a file - file1 - for a user -Albert - , we wouldn't have to add the Albert to a group where access to the file file1 and to other files is permitted, or create a new group that has access to file1 and add the user Albert to it.

But using the "classical" method, we would have to create a new group that gives access to that file1 and add Albert to it.

Using ACLs:

To be able to use ACL, we would need to mount the partition - /dev/sda1 - with the acl option enabled as we see below - we have a choice between using mount or tune2fs -:

We check that using the below command:

ACL types:
  • Access ACL: give access to files and directories
  • Default ACL: could only be used with directories, it decides the access right for all the objects under a directory - each object inherits the ACL of its parent directory -.
Managing ACLs - setfacl - :

To create or modify ACLs, we use the command - setfacl - as below:

The below command modifies the ACLs of the file  file_name for the user Albert giving him - read, write, and  exec rights over the file filename:

To give permission - read and write -for a whole group - marketing - we use the below command:

To give "others" - not members of the file's group - read rights, we use the below command:

To restrict permissions, we use the effective mask which works like the "umask" that is applied for the regular permissions:

The above mask prevents the users of the file_name from operations other the - read and write -.
The mask represents the "maximum" permission allowed for a file.


The ACL to which the mask has been applied are called "effective".

Default ACLs:

If we want all the files in a directory to be readable and executable by the members of the marketing group for example, we use the below command - the "d" parameter is used for the default ACLs -:

Modifying, deleting and removing ACLs:

To modify the ACLs - read and write - recursively in a directory for the marketing group, we use the below command:

Deleting the ACL rules of the file_name for the user Albert:

Removing ACLs from the file file_name:

To display the ACLs of the file file1, we use the below command:

We could see if a file uses ACLs if we see a "+" sign next to the traditional permissions:


Leave as a comment: