In Linux we have various types of permission which is used to manage user level access so that various users could access file and directories to work on same with different ways.For same we have one type of permission which is called ACL(access control list), which used to provide permission to other user than owner or group member of file and directory. So in this post we will be talking about Linux file-system ACL.

These permission is comes in picture when our requirement is not fulfil under owner, group and others.

File-systems permission like execution, writing or editing, reading and copy , change its permission of files. On directories these permission used to work in different levels like change, delete, create sub-directory, copy , change permission of directories. We have also mention Linux permission in another post.

We can see Linux file permission in ls command output like below.

[root@srv1 etc]# ls -l | tail
-rw-r--r--   1 root root   1982 Jul  9 12:00 virc
-rw-r--r--   1 root root   3008 Jul 23  2015 warnquota.conf
-rw-r--r--   1 root root   4479 Mar 22  2017 wgetrc
drwxr-xr-x.  5 root root   4096 May  4 12:29 X11
drwxr-xr-x.  3 root root   4096 Feb  2  2018 xdg
drwxr-xr-x.  2 root root   4096 Jan  3  2019 xinetd.d
drwxr-xr-x   2 root root   4096 Feb 18  2019 xml
drwxr-xr-x.  5 root root   4096 Jan  3  2019 yum
-rw-r--r--   1 root root    969 Feb  2  2019 yum.conf
drwxr-xr-x.  3 root root   4096 May  5 20:57 yum.repos.d

In this we can only provide permission to owner, groups and others, but what if we need permission to some other users which is not owner, group member. For such case we need access control list (ACL), with this we could provide access to some random single user. Let’s see some example.

[u1@srv1 data]$ ll
total 0
-rw------- 1 root root 18 Sep 23 01:35 f1
[u1@srv1 data]$ cat f1
cat: f1: Permission denied
[u1@srv1 data]$ 

Access Control List (ACL)

See above we have one file which has read and write permission to owner only and owner is root user, because of this if any other user like to read this file will get permission denied error message. We can make it correct through access control list (ACL), like below.

ACL Syntax

setfacl -R -m/x  u/g:user-name:permission file-name/directory-name

In above syntax we can used to modified (-m) or delete (-x) access permission option recursively (-R) to user or group (u/g) on mentioned user-name/group-name with permission details for file or directory.

To provide ACL on above mentioned file, we need to use setfacl command in below way

setfacl -m u:u1:6 f1

[root@srv1 data]# ls -l
total 4
-rw-rw----+ 1 root root 18 Sep 23 01:42 f1

Apply ACL

In above commands, we can see setfacl command used to manage acl on f1 file, also denote plus(+) sign in ls output. Which also easy to analyse it.Let’s see effect of present scenario.

[u1@srv1 data]$ ls -l 
total 4
-rw-rw----+ 1 root root 18 Sep 23 01:42 f1
[u1@srv1 data]$ cat f1
Test file for ACL

View ACL

In above case we can see that user u1 now able to read f1 file because of above provided ACL. We can check through getfacl command.

[u1@srv1 data]$ getfacl f1
# file: f1
# owner: root
# group: root
user::rw-
user:u1:rw-
group::---
mask::rw-
other::---

In above output, we can see access control list of file through getfacl command. We can use same command on directory for group like below

[root@srv1 data]# setfacl -R -m g:sysadm:rw scripts
[root@srv1 data]# setfacl -R -m g:devops:rw scripts

[root@srv1 data]# getfacl scripts/
# file: scripts/
# owner: root
# group: root
user::rwx
group::r-x
group:sysadm:rw-
group:devops:rw-
mask::rwx
other::r-x

In above command we provide recursive access on directories for group.

Revoking ACL

So, now we know how to provide permission on file and directory through setfacl command, but what if we need to remove these ACL permission. For same as well we need to use setfacl command in below way

[root@srv1 data]# getfacl f1
# file: f1
# owner: root
# group: root
user::rw-
user:u1:rw-
group::---
mask::rw-
other::---

[root@srv1 data]# setfacl -x u:u1 f1

[root@srv1 data]# getfacl f1
# file: f1
# owner: root
# group: root
user::rw-
group::---
mask::---
other::---

In above command output we can see, we had ACL permission on f1 file for u1 user , which is removed through same setfacl.