Administration Guide Draft/ACLs

What Are ACLs And Their Purpose
Access control lists (ACLs) are a kernel-level feature of Fedora's default ext3 file system. ACLs provide an important level of flexibility for managing file permissions, that is, who or what has the rights to read, write, or execute a file.

Traditional Linux/UNIX file permissions (read, write, execute) are defined for three classes of users: the file owner, the file group, and others. This means that when a group is granted access to a particular shared resource (document, directory, printer, etc.), the same level of access is granted to all members of a group.

In practice, it is often required that some of the group members have limited or no access to the shared resource, or that the access is granted to other users who are not members of the particular group. In a non-ACL file permissions scheme this requires creation of numerous new groups, which quickly becomes difficult to manage, especially on large systems.

Fedora provides ACL support for ext3, NFS-exported ext3, and ext3 file systems accessed via Samba (which provides CIFS/Microsoft Windows file sharing.)

The most common file manipulation utilities, such as,  , and   also support ACLs. To preserve ACLs when archiving files, the  utility should be used instead of , which does not support ACLs.

There are two types of ACLs:


 * Access ACL - ACL that controls the level of access to the object (file or directory)
 * Default ACL - ACL associated with a directory. If set, all objects within a directory inherit the default ACL as their initial access ACL

Each ACL is composed of a set of ACL entries. Each ACL entry specifies access permissions to the object as a combination of read, write, and execute permissions for an individual user or a group.

Using Access Control Lists
There are a few prerequisites to using ACLs:
 * File system must support ACLs
 * File system must be mounted with  option
 * RPM package  must be installed

Enabling ACLs on a file system
On a default Fedora installation, file systems are mounted without ACL support. To enable ACLs for a local file system, edit the  file and add the   option for the desired partition. The entry might look similar to:

LABEL=/data  /data   ext3   rw,acl   1 2

This entry ensures that ACL support is preserved after reboot but reboot is not required to enable ACLs. To accomplish this on an already mounted  partition run:

su -c '/bin/mount -o remount /data'

Additional parameters are not required when mounting ACL enabled remote Samba shares. If the client accessing an NFS share can read ACLs and the NFS share is exported from an ACL enabled file system, ACLs are utilized by the client.

Setting ACLs and retrieving ACL information
ACLs are controlled by two utilities:


 * is used to retrieve ACL information
 * is used to set or modify ACL entry

To view ACL information on an object (directory ) in the   directory, run:

getfacl /data/docs

The output shows ACL information associated with the  directory:

getfacl: Removing leading '/' from absolute path names user::rwx group::r-x other::r-x

Since ACLs are not yet set, this information corresponds to common permissions on the  directory:

ls -dl /data/docs drwxr-xr-x 5 jerry black 4096 Nov 1 19:57 /data/docs

To set an ACL for an object, run :

setfacl -m

The command option  is used to create or modify an ACL entry. For an object without previously set ACLs, a new ACL entry is created. If an object already has an ACL entry, option  modifies the existing ACL entry by appending the new ACL entry to the object's ACL.

The  is a file or a directory on which an ACL is created

The  are specified per user, per group, using an effective rights mask or for users who are not members of the user group for an object, using one of the following:









The effective rights mask is a sum of all permissions of the object group owner and all ACLs set on the object. It represents the actual rights granted to all ACL users and groups on the object and limits their access to the level it specifies. If a user has read and write permission through an ACL but the mask is set to read, the more restrictive permission (read) is in effect. The effective mask does not apply to file owner or file group.

Numerical UID or GID can be specified for a non-existing user or group, respectively. If the actual user or group name is specified, they must exist on the system, otherwise the  command exits with an error.

To specify multiple ACLs on the same line, separate them by commas. Blank spaces are ignored:

setfacl -m u: :rw,g: :rx, u: :r /dir/file

To remove an ACL entry for user, use the  command option and do not specify any permissions:

setfacl -x u: /dir/file

To set the default ACL, prefix the rule with a :

setfacl -m d:g: :rx /dir

ACL examples
To grant the user carlos read, write, and execute rights on all files in the  directory, run:

setfacl -R -m u:carlos:rw /data/docs

(i) Use the  command option to recursively set ACL on all files in   directory.

To check permissions for the  directory, run:

ls -dl /data/docs drwxrwxr-x+ 5 jerry black 4096 Nov 1 19:57 /data/docs

To check modified ACL information for the  directory, run:

getfacl /data/docs getfacl: Removing leading '/' from absolute path names user::rwx user:carlos:rwx group::r-x mask::rwx other::r-x

Both of the above commands now produce a different output than previously.

The plus sign next to permission bits after the  command shows that the ACL is now set on the object. Likewise, the  output has two additional entries:


 * indicates the additional user with the access rights on the object
 * denotes the effective rights on the object

The  command also accepts input from text files. This is useful if identical long rules must be set for large number of objects. To accomplish this, create a plain text file ( in the next example) with a rule per line and use the   command option to set ACL on all html files in a directory  :

setfacl -M rules.txt /dir/*.html

The format of the  file is the same as an output of the   command with the   option:

getfacl --omit-header /data/etc/conf/script1.cfg

user::rw- user:jerry:rw- group::r-- group:black:r-x mask::rwx other::r--

This is very useful if the same ACL must be applied to some other files. You can create the  file by simply redirecting the output of the   command:

getfacl --omit-header /data/etc/conf/script1.cfg > rules.txt

cat rules.txt user::rw- user:jerry:rw- roup::r-- group:black:r-x mask::rwx other::r--

Copying And Archiving ACLs
Common file utilities  and   on Fedora support ACLs. Archiving tools such as  and   do not have support for ACLs and the   utility should be used to preserve ACLs while archiving files.

Copying And Moving ACLs
To copy the file or directory while preserving ACLs, use the  or   command option:

cp -p /dir1/file1 /dirx/file2

cp -a /dir1/dir2 /dirx/dir3

The  command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs.

Archiving ACLs
To archive the files or directories while preserving ACLs, use the  command with the   option:

star -c -acl file=archive.star /data

This creates the backup.star archive of  directory with preserved ACLs.

To restore the star archive and ACLs, run  with the   command option:

star -x -acl file=backup.star

This extracts the  archive into current directory with preserved ACLs. The target filesystem being extracted to must support ACLs for this to work.

Related web sites
ACLs web site:

Related manuals
For more information on ACLs and associated utilities, read the following manual pages: