Personal tools
You are here: Home Resolution Guide Additional Troubleshooting Linux Lab Access Control Lists (ACLs)

Access Control Lists (ACLs)

This section will provide a brief overview on how to set Access Control Lists (ACLs) to grant others access to files in your home directory. ACLs allow you to grant individual users access to files and directories in order to share files without giving access to everyone. ACLs are simply an extension of the standard 'rwx' permissions every file and directory already has.

Setting Up ACLs

POSIX ACL's are administered with the getfacl and setfacl commands.

To grant permissions to a user, use: setfacl <option> <ACL> <directory/file>

Where <directory/file> is the directory or file you want to set ACL's for, <option> is generally one of -m (modify) or -x (remove), and <ACL> is the ACL you want to set.


Listing ACLs

To list what ACL's are set on a directory: getfacl <directory/file>

Where <directory/file> is the directory or file you want to see the ACL for. You can do an fgetacl on any directory or file you own or have permission to. You can tell if a directory or file has an ACL set because the output of ls -1 will have a + after the normal permission list, i.e. "-rwxrwx---+"

Example

For this example, a user doej99 wants smithb12 to be able to have access to his programming assignment #2. His files are located in his home directory under ~/doej99/321/pgm2/. The following tree shows the layout of doej99's home directory:

                           doej99
/ \
271 321
/ / \
... / \
pgm1 pgm2


To have any permission into the subdirectories of doej99's home directory, the execute permission is required on any higher level directory. Unless a user has execute permission on the parent directories, they can't find any subdirectories, including ones they may have permission to access.

In this example, the first thing that needs to be done is to grant smithb12 lookup permissions on the home directory:

setfacl -m user:smithb12:x ~/

To get into the 321 directory, execute permission must also be granted there:

setfacl -m user:smithb12:x ~/321/

Now, smithb12 needs permission to modify/create files in the pgm2 directory. We will also set the default ACL so new files will be created with the proper permissions:

setfacl -m user:smithb12:rwx ~/321/pgm2/

setfacl -m default:user:smithb12:rwx ~/321/pgm2/

After this step, smithb12 has access to read, write, and execute files.

         doej99  <-- smithb12 can list files here
/ \
271 321 <-- smithb12 can list files here (321)
/ / \
... / \
pgm1 pgm2 <-- smithb12 can read and write files here

If getfacl is used on each of these directories:

[doej99@uws00 doej99]$ getfacl ~/
# file: doej99 
# owner: 500 
# group: 500 
user::rwx
user:smithb12:--x
group::---
mask::--x
other::---

[doej99@uws00 doej99]$ getfacl ~/321/
# file: doej99/321
# owner: 500 
# group: 500 
user::rwx
user:smithb12:--x
group::rwx
mask::rwx
other::r-x

[doej99@uws00 doej99]$ getfacl ~/321/pgm2/
# file: doej99/321/pgm2
# owner: 500 
# group: 500 
user::rwx
user:smithb12:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:smithb12:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

Any files created after the ACL has been set on the parent directory will automatically inherit the default permission of the parent. In this example if doej99 creates a new file in the pgm2 directory, it will automatically grant smithb12 the default ACL permissions - in this case, rwx. See the getfacl and setfacl main pages for more detail.