jump to navigation

Further control of Linux files with ACL December 31, 2010

Posted by Tournas Dimitrios in Linux.

If you  had read my article “chmod Tutorial for Linux newbies” you know that it’s possible, out of the box, to control who can access a file and what they can do with it. This helps to make Linux a fairly secure system. But did you know you can take even further control of that system with the help of Access Control Lists? Access Control Lists allow you to provide different levels of access to files and folders. Say, for instance, user user1 creates a file but doesn’t want to allow anyone to do anything with this file but he and another user, user2 (even though there are other users that belong to the group user1). ACL can handle this task.

In this article you will learn how to install and use ACL to further enchance your file permissions on a Linux system.

Installation :

This command line utility is installed by defauld on CentOs 5.x , but in case ….. just run :

sudo  yum   install   acl

Type your user password, hit the Enter key and the install, and the installation will begin and end fairly quickly. You are now ready to start with ACL.

Using ACL :

Before you use the commands for ACL you actually have to mount your partition such that ACL is available. By default this is not the case. In order to set this you have to edit your /etc/fstab file. Open that file up and look for the line that mounts your data partition. In my case, this line is:

UUID=c7812a34-3ec1-4451-aace-02d122b6c454 / ext4 errors=remount-ro 0 1

You need to edit this line to look something like:

UUID=c7812a34-3ec1-4451-aace-02d122b6c454 / ext4 errors=remount-ro,acl 0 1

After you make this edit, save the file and then either issue the command:

sudo  mount -o remount,acl  / or reboot your machine.

We invoked the sudo command , just to elevate our permittions . I suppose you are not running continuously as root , or do you ???

There are two commands you will use for ACL:

* setfacl – Set file access control list.
* getfacl – Get file access control list.

You can probably guess that the first command sets the the ACL and the second lists the ACL for the file.

Using ACL :

So let’s say you have the file test and you want only two users on your system to be able to read that file, user1 and user2. You want to exclude all users in the group user1  as well. What you want to do is use the setfacl command like so (as the user user1 ):

setfacl  -m  u:user2:rw- test

Now when you run the command:

getfacl   test

you will see something like:

# file: test

# owner: user1

# group: user1






As you can see both users user1 and user2 can read and write to the file test, whereas all others can only read the file.

You can verify that a file has had ACL modifications done to it by using the ls command like so:

ls -l  test

which should produce results like:

-rw-rw-r–+ user1  user1

What gives this away is the “+” character.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s