Linux permission : Accesss Control List (ACL)
In Linux we have various types of permission which is used to manage user level access so that various users could access file and directories to work on same with different ways.For same we have one type of permission which is called ACL(access control list), which used to provide permission to other user than owner or group member of file and directory. So in this post we will be talking about Linux file-system ACL.
These permission is comes in picture when our requirement is not fulfil under owner, group and others.
File-systems permission like execution, writing or editing, reading and copy , change its permission of files. On directories these permission used to work in different levels like change, delete, create sub-directory, copy , change permission of directories. We have also mention Linux permission in another post.
We can see Linux file permission in ls command output like below.
[root@srv1 etc]# ls -l | tail -rw-r--r-- 1 root root 1982 Jul 9 12:00 virc -rw-r--r-- 1 root root 3008 Jul 23 2015 warnquota.conf -rw-r--r-- 1 root root 4479 Mar 22 2017 wgetrc drwxr-xr-x. 5 root root 4096 May 4 12:29 X11 drwxr-xr-x. 3 root root 4096 Feb 2 2018 xdg drwxr-xr-x. 2 root root 4096 Jan 3 2019 xinetd.d drwxr-xr-x 2 root root 4096 Feb 18 2019 xml drwxr-xr-x. 5 root root 4096 Jan 3 2019 yum -rw-r--r-- 1 root root 969 Feb 2 2019 yum.conf drwxr-xr-x. 3 root root 4096 May 5 20:57 yum.repos.d
In this we can only provide permission to owner, groups and others, but what if we need permission to some other users which is not owner, group member. For such case we need access control list (ACL), with this we could provide access to some random single user. Let’s see some example.
[u1@srv1 data]$ ll total 0 -rw------- 1 root root 18 Sep 23 01:35 f1 [u1@srv1 data]$ cat f1 cat: f1: Permission denied [u1@srv1 data]$
Access Control List (ACL)
See above we have one file which has read and write permission to owner only and owner is root user, because of this if any other user like to read this file will get permission denied error message. We can make it correct through access control list (ACL), like below.
setfacl -R -m/x u/g:user-name:permission file-name/directory-name
In above syntax we can used to modified (-m) or delete (-x) access permission option recursively (-R) to user or group (u/g) on mentioned user-name/group-name with permission details for file or directory.
To provide ACL on above mentioned file, we need to use setfacl command in below way
setfacl -m u:u1:6 f1 [root@srv1 data]# ls -l total 4 -rw-rw----+ 1 root root 18 Sep 23 01:42 f1
In above commands, we can see setfacl command used to manage acl on f1 file, also denote plus(+) sign in ls output. Which also easy to analyse it.Let’s see effect of present scenario.
[u1@srv1 data]$ ls -l total 4 -rw-rw----+ 1 root root 18 Sep 23 01:42 f1 [u1@srv1 data]$ cat f1 Test file for ACL
In above case we can see that user u1 now able to read f1 file because of above provided ACL. We can check through getfacl command.
[u1@srv1 data]$ getfacl f1 # file: f1 # owner: root # group: root user::rw- user:u1:rw- group::--- mask::rw- other::---
In above output, we can see access control list of file through getfacl command. We can use same command on directory for group like below
[root@srv1 data]# setfacl -R -m g:sysadm:rw scripts [root@srv1 data]# setfacl -R -m g:devops:rw scripts [root@srv1 data]# getfacl scripts/ # file: scripts/ # owner: root # group: root user::rwx group::r-x group:sysadm:rw- group:devops:rw- mask::rwx other::r-x
In above command we provide recursive access on directories for group.
So, now we know how to provide permission on file and directory through setfacl command, but what if we need to remove these ACL permission. For same as well we need to use setfacl command in below way
[root@srv1 data]# getfacl f1 # file: f1 # owner: root # group: root user::rw- user:u1:rw- group::--- mask::rw- other::--- [root@srv1 data]# setfacl -x u:u1 f1 [root@srv1 data]# getfacl f1 # file: f1 # owner: root # group: root user::rw- group::--- mask::--- other::---
In above command output we can see, we had ACL permission on f1 file for u1 user , which is removed through same setfacl.