Using ACLs to Control File Access
What are ACLs (sometimes known as facls)?
For many tasks, controlling access to files and directories using standard Unix file permissions is cumbersome and
chgrp commands only allow the user to specify file permissions
for a single group and requires a System Administrator to create/modify the appropriate group.
ACLs (Access Control Lists) are a feature of many Unix Operating Systems that allows for a greater degree of control over specifying which users and groups can access files and directories. Using ACLs, users can set file permissions for arbitrary users and groups without the assistance of a System Administrator.
The School has a number of file servers supporting a number of types of ACLs. At present Unix ACLs, via setfacl and getfacl, are only available on the following filesystems:
For the moment ACLs for other filesystems can only be set under Windows these will, however, be honoured when accessed via Unix.
Viewing ACL Permissions
Files or directories that have permissions set with ACLs can be identified from a long directory listing
ls -l command). A '
+' symbol after the file permissions indicates the file has a ACL.
ls -l secret-file.txt -rwxr-----+ 1 abc staff 12 Sep 11 12:53 secret-file.txt
getfacl displays the ACL of a file. For example, the command
will display the ACL for the file
The format of the output to
getfacl is explained in the table below.
||Standard Unix file attributes|
||Permissions for the owner||
||Permissions for named users (user1, user2, etc...)|
||Permissions for the file's group|
||Permissions for named groups (group1, group2, etc...)|
||Maximum permissions granted for any user or group with an ACL entry other than the owner|
||Permissions for all other users|
||Default ACL permissions (for directories only)|
- The mask entry specifies the maximum permissions granted for any user other than the owner. The mask value overrides
groupentries that grant greater permissions than the value of the mask. For example, if the mask grants only read permissions and a user has read/write permissions, the user's effective permissions are read only.
- Changing the value of the mask entry is a good way to quickly change the permissions to restrict access for all users.
getfaclwill indicate where the mask is overriding a user or group permissions by displaying the effective permissions.
- Default ACL entries are only applicable to directories. These ACL entries specify the maximum permissions granted to any new files created within the directory. The effective permissions on the new file are calculated by comparing the default ACL against the requested permissions.
An example of the output from
getfacl is explained below:
getfacl secret-file.txt # file: secret-file.txt # owner: abc # group: staff user::rwx user:test:r-- #effective:r-- group::r-- #effective:r-- group:pg:rw- #effective:r-- mask:r-- other:---
- The owner has full control
- The group
staffhas read permissions
- The user
testhas read permissions
- The group
pghas a read/write entry but the mask restricts access to read only
- The mask is read only
- Other users have no permissions to access the file
Setting ACL permissions
ACL permissions are set using the
setfacl command. The command can be used in one of four ways:
setfacl -s acl-entry-list filename
Set the ACL permissions specified in the list
acl-entry-listfor the file
filenamereplacing any existing ACL entries.
setfacl -m acl-entry-list filename
Modify the ACL for the file
filenamereplacing only the ACL entries specified in the list
setfacl -f acl-entry-file filename
As for the
-soption except that the ACL entries are read from the file
acl-entry-filerather than the command line.
setfacl -d acl-entry-list filename
Delete ACL entries on the file
filenamespecified by the list
- The format of the ACL entries is the same as displayed by the
default, user, group, maskand
othercan be abbreviated to
d, u, g, mand
- The ACL entries are comma separated when entered on the command line or separated on new lines when entered from a file.
- Anything after a '
#' symbol in a ACL file is read as a comment.
- The ACL entries don't have to be in any specific order.
- The ACL entries should not include permissions when specifying entries to delete with the
- ACL entries can be read from STDIN by specifying the input file as '
-' when using the
-foption. ACL entries can therefore be piped from an existing file (using
getfacl) to set the permissions on another file.
- When setting ACLs with the
-foptions, the following must be specified:
- Permissions for the owner,group and others.
- Mask entry if additional user/group ACL entries have been specified.
- It is recommended to set ACLs using files and/or shell scripts. Using files and scripts maintains a record of the original permissions set on the file and makes it easier to restore the permissions if they ever need to be reset to their original values.
Examples of setting ACLs with
setfacl -s user::rwx,group::r--,other:---,mask:rw-,user:abc:rw- secret-file.txt
- Give full control to owner
- Group has read only permissions
- Others have no access
- The mask is read/write (maximum permissions)
abchas read/write permissions
setfacl -m user:abc:r-- secret-file.txt
- Modifies the permissions for user
abcto only allow read access
setfacl -d user:abc: secret-file.txt
- Deletes the ACL entry for user
setfacl -f acl-file secret-file.txt
- Read ACL entries from file
getfacl secret.orig | setfacl -f - secret-file.txt
- Read ACL entries from the file
secret.origand apply them to the file
More detailed information about ACLs can be found by reading the
There is a GUI on the Solaris machines for editing access control lists that you can run with the command:
jfacl <file or dir name>and you should see something like this:
See the jfacl homepage.