Linux file access with ACL

By using ‘access control list’ in Linux we are able to grant or deny access to files in such ways the default Linux permissions do would not allow (User, Group, Other).

In order to begin using FACL you will need to verify the mount points has the ‘acl’ options upon mount time, the normal way to do this is by editing your /etc/fstab and adding “acl” within the options column, I have placed an example below.

/dev/sda1     /       ext3    defaults,acl     0    1

After adding the acl option to your fstab you will want to remount this by either rebooting or issues the following command: mount -o remount / (if the mount point is root)

When working with FACLs on your Linux server there will be two command which allow you to alter and view current FACL on a file or directory, these are ‘setfacl‘ and ‘getfacl‘, as the name implies setfacl will add FACL and getfacl will view current FACLs.

Lets begin with setting a basic FACL on a file which will grant ‘apache’ access to read and write to a file in addition to the already set Linux octal permissions.

$ setfacl -m 'u:apache:rw' file1

The above command uses the -m which modifies the current ACL(s) of a file(s), the second portion can be a bit confusion a first but if we take a quick look hopefully we can make sense of it. In the second portion of the command we have 3 options separated by : , the first is defining this ACL is for User (this field can be either u, g, or o for User, Group or Other), the second is the User (if using u) or Group (if using g), and the third is the permissions this user/group has (can be either r, rw, rwx or — for none).

After a FACL is set we may want to later check what type of permissions where set but say we forgot which file has the FACL, the easiest way to see which files have FACL is to run a ls -l and check for a ‘x’ bit at the end of the octal permission (see example below)

-rw-rw-r--+ 1 root root 0 Aug 15 10:34 file1

Once we know what file we wish to check we can use the ‘getfacl’ command to check what type of FACLs have been set on this file (see example below)

$ getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:apache:rw-
group::r--
mask::rw-
other::r--

FACLs can be really helpful in day to day administration however say you wish to create a FACL which applies to an entire directory as well as new files created in that directory, well the answer to that is a ‘Default FACL’ applied to a directory. A Default FACL is applied to a directory manually however when new files are created within that directory they gain the directories Default FACLs automatically. That test this out by setting a Default FACL below.

$ setfacl -dm "u:apache:rwx" dir1/

$ getfacl dir1/
# file: dir1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

$ cd dir1/

$ touch file1

$ getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:apache:rwx                       #effective:rw-
group::r-x                    #effective:r--
mask::rw-
other::r--

As we can see above this new file named ‘file1′ receives the default FACL from the dir1 directory without anything needed to be down on our end.

The next thing I will go over is setting FACLs recursively, one thing to note with using the recursive flag (-R) is if a Default flag (-d) is set this will effect all Directories below and not touch files, so if we wish to setup Default FACLs and add the FACL to existing files we will want to run two commands (one with -d and on without, this will effect Directories with Default and existing files by setting the FACL). As we will see below the directory ‘dir1′ contains 3 files which do not have FACLs set.

$ setfacl -Rm "u:apache:rwx" dir1/

$ getfacl dir1/*
# file: dir1/file1
# owner: root
# group: root
user::rw-
user:apache:rwx
group::r--
mask::rwx
other::r--

# file: dir1/file2
# owner: root
# group: root
user::rw-
user:apache:rwx
group::r--
mask::rwx
other::r--

# file: dir1/file3
# owner: root
# group: root
user::rw-
user:apache:rwx
group::r--
mask::rwx
other::r--

And lasting to remove a FACL from a file we can use the -b flag which removes all extended ACL entries.

$ getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:apache:rwx
group::r--
mask::rwx
other::r--

$ setfacl -b file1

$ getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
group::r--
other::r--

And as you can see above the FACLs set on this file has been removed.

Say you have a directory which houses multiple sub-directories and files and you wish to setup a Default FACL so new files created can be written to by Apache as well as existing files to have this same rule, you can use the setfacl commands mentioned below to achieve this.

$ setfacl -dRm 'u:apache:rwx' dir1
$ setfacl -Rm 'u:apache:rwx' dir1

The first setfacl will add the Default FACL to all directories below dir1 including dir1 itself, and the second setfacl command will add these FACL as current FACLs to all existing files below dir1 inlcuding dir1 itself (a thing to note by all files is in Linux directories are also files).