Using ACLs to Control File Access

What are ACLs (sometimes known as facls)?

For many tasks, controlling access to files and directories using standard Unix file permissions is cumbersome and restrictive. The chmod and chgrp commands only allow the user to specify file permissions for a single group and requires a System Administrator to create/modify the appropriate group.

ACLs (Access Control Lists) are a feature of many Unix Operating Systems that allows for a greater degree of control over specifying which users and groups can access files and directories. Using ACLs, users can set file permissions for arbitrary users and groups without the assistance of a System Administrator.

The School has a number of file servers supporting a number of types of ACLs. At present Unix ACLs, via setfacl and getfacl, are only available on the following filesystems:

  • /home/admin
  • /home/archive
  • /home/scratch-*

For the moment ACLs for other filesystems can only be set under Windows these will, however, be honoured when accessed via Unix.

Viewing ACL Permissions

Files or directories that have permissions set with ACLs can be identified from a long directory listing (ls -l command). A '+' symbol after the file permissions indicates the file has a ACL.

	ls -l secret-file.txt

	-rwxr-----+  1 abc      staff         12 Sep 11 12:53 secret-file.txt
	

The getfacl displays the ACL of a file. For example, the command getfacl secret-file.txt will display the ACL for the file secret-file.txt

The format of the output to getfacl is explained in the table below.

Command Output Explanation
# file: filename
# owner: username
# group: group-name
Standard Unix file attributes
user::perm Permissions for the owner
user:user1:perm
user:user2:perm
Permissions for named users (user1, user2, etc...)
group::perm Permissions for the file's group
group:group1:perm
group:group2:perm
Permissions for named groups (group1, group2, etc...)
mask:perm Maximum permissions granted for any user or group with an ACL entry other than the owner
other:perm Permissions for all other users
default:user::perm
default:user:user1:perm
default:group::perm
default:group:group1:perm
default:mask:perm
default:other:perm
Default ACL permissions (for directories only)

Notes:

  • The mask entry specifies the maximum permissions granted for any user other than the owner. The mask value overrides all user and group entries that grant greater permissions than the value of the mask. For example, if the mask grants only read permissions and a user has read/write permissions, the user's effective permissions are read only.
  • Changing the value of the mask entry is a good way to quickly change the permissions to restrict access for all users.
  • getfacl will indicate where the mask is overriding a user or group permissions by displaying the effective permissions.
  • Default ACL entries are only applicable to directories. These ACL entries specify the maximum permissions granted to any new files created within the directory. The effective permissions on the new file are calculated by comparing the default ACL against the requested permissions.

An example of the output from getfacl is explained below:

	getfacl secret-file.txt

	# file: secret-file.txt
	# owner: abc
	# group: staff
	user::rwx
	user:test:r--           #effective:r--
	group::r--              #effective:r--
	group:pg:rw-            #effective:r--
	mask:r--
	other:---
	
  • The owner has full control
  • The group staff has read permissions
  • The user test has read permissions
  • The group pg has a read/write entry but the mask restricts access to read only
  • The mask is read only
  • Other users have no permissions to access the file

Setting ACL permissions

ACL permissions are set using the setfacl command. The command can be used in one of four ways:

setfacl -s acl-entry-list filename

Set the ACL permissions specified in the list acl-entry-list for the file filename replacing any existing ACL entries.

setfacl -m acl-entry-list filename

Modify the ACL for the file filename replacing only the ACL entries specified in the list acl-entry-list.

setfacl -f acl-entry-file filename

As for the -s option except that the ACL entries are read from the file acl-entry-file rather than the command line.

setfacl -d acl-entry-list filename

Delete ACL entries on the file filename specified by the list acl-entry-list.

Notes:

  • The format of the ACL entries is the same as displayed by the getfacl command.
  • default, user, group, mask and other can be abbreviated to d, u, g, m and o.
  • The ACL entries are comma separated when entered on the command line or separated on new lines when entered from a file.
  • Anything after a '#' symbol in a ACL file is read as a comment.
  • The ACL entries don't have to be in any specific order.
  • The ACL entries should not include permissions when specifying entries to delete with the -d option.
  • ACL entries can be read from STDIN by specifying the input file as '-' when using the -f option. ACL entries can therefore be piped from an existing file (using getfacl) to set the permissions on another file.
  • When setting ACLs with the -s or -f options, the following must be specified:
    • Permissions for the owner,group and others.
    • Mask entry if additional user/group ACL entries have been specified.
  • It is recommended to set ACLs using files and/or shell scripts. Using files and scripts maintains a record of the original permissions set on the file and makes it easier to restore the permissions if they ever need to be reset to their original values.

Examples of setting ACLs with setfacl

setfacl -s user::rwx,group::r--,other:---,mask:rw-,user:abc:rw- secret-file.txt

  • Give full control to owner
  • Group has read only permissions
  • Others have no access
  • The mask is read/write (maximum permissions)
  • User abc has read/write permissions

setfacl -m user:abc:r-- secret-file.txt

  • Modifies the permissions for user abc to only allow read access

setfacl -d user:abc: secret-file.txt

  • Deletes the ACL entry for user abc

setfacl -f acl-file secret-file.txt

  • Read ACL entries from file acl-file

getfacl secret.orig | setfacl -f - secret-file.txt

  • Read ACL entries from the file secret.orig and apply them to the file secret-file.txt

More detailed information about ACLs can be found by reading the getfacl and setfacl man pages.

jfacl GUI

jfacl screenshot

There is a GUI on the Solaris machines for editing access control lists that you can run with the command:

	jfacl <file or dir name>
	
and you should see something like this:

See the jfacl homepage.