Sometimes file system permissions may fall short, ACLs allow for more granular control over access to each file.
The necessary requirements to use ACLs are:
- e2fsprogs >= 1.28 eix e2fsprogs
- Support in the kernel File Systems –> Extended attributes
- Package sys-apps/attr: emerge -av sys-apps/attr
- /etc/fstab with acl, user_xattr options
Now we can start defining ACLs, the tools for this are:
- getfacl: Query the ACLs of a given file
- setfacl: Modify the ACLs of a given file
Let’s put a real case where everything will be easier to see, let’s suppose we have a directory where we want a certain group of users to have read and execute access and another group with read, write and execute permissions.
With this scenario it would be impossible to meet the conditions with the traditional Linux permission system, to solve it we are going to create ACLs:
mkdir prueba
useradd -s /bin/bash user1
useradd -s /bin/bash user2
useradd -s /bin/bash user3
useradd -s /bin/bash user4
groupadd group_1
groupadd group_2
gpasswd -a user1 group_1
gpasswd -a user2 group_1
gpasswd -a user3 group_2
gpasswd -a user4 group_2
setfacl -m g:group_1:r-x prueba
setfacl -m g:group_2:rwx prueba
# file: prueba
# owner: root
# group: root
user::rwx
group::r-x
group:group_1:r-x
group:group_2:rwx
mask::rwx
other::r-x
The user, group and other permissions where the user or group is not indicated are the permissions shown by ls -la
Now if we do an ls -la we will see a + indicating that it has extended ACLs:
drwxrwxr-x+ 2 root root 4096 sep 7 17:22 prueba
To delete ACLs:
setfacl -x g:group_2 prueba
# file: prueba
# owner: root
# group: root
user::rwx
group::---
mask::---
other::---
If we want to configure extended acls at the user level, we apply them in the same way but changing the g: indicator to u:
# file: prueba
# owner: root
# group: root
user::rwx
user:user1:r-x
group::---
mask::r-x
other::---