Skip to content

Access Control Lists (ACL)

  • getfacl
  • setfacl

First, lets look at the getfacl command. 

[wmason@devnull tmp]$ touch testfile
[wmason@devnull tmp]$ ls -l testfile
-rw-rw-r-- 1 wmason wmason 0 Oct 17 13:29 testfile
[wmason@devnull tmp]$ getfacl testfile
# file: testfile
# owner: wmason
# group: wmason
user::rw-
group::rw-
other::r--
This should all look pretty normal if you understand Unix file permissions. Next, let's grant user "hulet" with read and write access to the "testfile". 

[wmason@devnull tmp]$ setfacl -m u:hulet:rw- testfile
[wmason@devnull tmp]$ getfacl testfile
# file: testfile
# owner: wmason
# group: wmason
user::rw-
user:hulet:rw-
group::rw-
mask::rw-
other::r--

[wmason@devnull tmp]$ ls -l testfile
-rw-rw-r--+ 1 wmason wmason 0 Oct 17 13:29 testfile

Notice that there is an extra user entry in the output from getfacl, and there is a "+" next to the output from the ls command. The "+" indicates that an ACL has been applied to the file. In addition to the new user entry, there is now a new "mask" entry in the output from getfacl. This is the effective rights mask. This entry limits the effective rights granted to all ACL groups and users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence.

Next, let's grant user "ahock" and group "admin" read and write access. But first, we will remove read access from Other. 

[wmason@devnull tmp]$ chmod o-r testfile 
[wmason@devnull tmp]$ ls -l testfile 
-rw-rw----+ 1 wmason wmason 0 Oct 17 13:29 testfile
[wmason@devnull tmp]$ setfacl -m u:ahock:rw-,g:admin:rw- testfile 
[wmason@devnull tmp]$ getfacl testfile 
# file: testfile
# owner: wmason
# group: wmason
user::rw-
user:hulet:rw-
user:ahock:rw-
group::rw-
group:admin:rw-
mask::rw-
other::---
Next, let's modify the "mask" entry to only allow read access. 
[wmason@devnull tmp]$ setfacl -m mask::r-- testfile
[wmason@devnull tmp]$ getfacl testfile
# file: testfile
# owner: wmason
# group: wmason
user::rw-
user:hulet:rw-                  #effective:r--
user:ahock:rwx                  #effective:r--
group::rw-                      #effective:r--
group:admin:rwx                 #effective:r--
mask::r--
other::---
The ACL now shows an "effective" rights mask. This demonstrates the precedence that "mask" takes over ACL permissions. Next, we will use the setfacl command to change normal User, Group, and Other permissions. This can be used instead of chmod. 

[wmason@devnull tmp]$ setfacl -m u::rwx,g::rwx,o::rwx testfile 
[wmason@devnull tmp]$ getfacl testfile
# file: testfile
# owner: wmason
# group: wmason
user::rwx
user:hulet:rw-
user:ahock:rwx
group::rwx
group:admin:rwx
mask::rwx
other::rwx