From Fedora Project Wiki

Revision as of 17:47, 4 March 2009 by Laubersm (talk | contribs) (Docs/Drafts/AdministrationGuide/AccessControlLists moved to Archive:Docs/Drafts/AdministrationGuide/AccessControlLists: This page references a newer draft version. Archiving old page tree then I'll go back and redirect to the new.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Section is ready for conversion to XML

Access Control Lists

What Are ACLs And Their Purpose

Access control lists (ACLs) are a kernel-level feature of Fedora's default ext3 file system. ACLs provide an important level of flexibility for managing file permissions, that is, who or what has the rights to read, write, or execute a file.

Traditional Linux/UNIX file permissions (read, write, execute) are defined for three classes of users: the file owner, the file group, and others. This means that when a group is granted access to a particular shared resource (document, directory, printer, etc.), the same level of access is granted to all members of a group.

In practice, it is often required that some of the group members have limited or no access to the shared resource, or that the access is granted to other users who are not members of the particular group. In a non-ACL file permissions scheme this requires creation of numerous new groups, which quickly becomes difficult to manage, especially on large systems.

Fedora provides ACL support for ext3, NFS-exported ext3, and ext3 file systems accessed via Samba (which provides CIFS/Microsoft Windows file sharing.)

The most common file manipulation utilities, such as mv, cp, and ls also support ACLs. To preserve ACLs when archiving files, the star utility should be used instead of tar, which does not support ACLs.

There are two types of ACLs:

  • Access ACL - ACL that controls the level of access to the object (file or directory)
  • Default ACL - ACL associated with a directory. If set, all objects within a directory inherit the default ACL as their initial access ACL

Each ACL is composed of a set of ACL entries. Each ACL entry specifies access permissions to the object as a combination of read, write, and execute permissions for an individual user or a group.

Using Access Control Lists

There are a few prerequisites to using ACLs:

  • File system must support ACLs
  • File system must be mounted with acl option
  • RPM package acl must be installed

Enabling ACLs on a file system

On a default Fedora installation, file systems are mounted without ACL support. To enable ACLs for a local file system, edit the /etc/fstab file and add the acl option for the desired partition. The entry might look similar to:

LABEL=/data   /data   ext3   rw,acl   1 2

This entry ensures that ACL support is preserved after reboot but reboot is not required to enable ACLs. To accomplish this on an already mounted /data partition run:

su -c '/bin/mount -o remount /data'

Additional parameters are not required when mounting ACL enabled remote Samba shares. If the client accessing an NFS share can read ACLs and the NFS share is exported from an ACL enabled file system, ACLs are utilized by the client.

Setting ACLs and retrieving ACL information

ACLs are controlled by two utilities:

  • getfacl is used to retrieve ACL information
  • setfacl is used to set or modify ACL entry

To view ACL information on an object (directory docs) in the /data directory, run:

getfacl /data/docs

The output shows ACL information associated with the docs directory:

getfacl: Removing leading '/' from absolute path names

Since ACLs are not yet set, this information corresponds to common permissions on the /data/docs directory:

ls -dl /data/docs
drwxr-xr-x 5 jerry black 4096 Nov  1 19:57 /data/docs

To set an ACL for an object, run setfacl:

setfacl -m <rules> <object>

The command option -m is used to create or modify an ACL entry. For an object without previously set ACLs, a new ACL entry is created. If an object already has an ACL entry, option -m modifies the existing ACL entry by appending the new ACL entry to the object's ACL.

If using the --set option, all user, group, and others permissions must be defined.
The command option --set is used to create a new ACL or replace all existing ACLs on the object, so it needs a complete definition for the setting.

The <object> is a file or a directory on which an ACL is created

The <rules> are specified per user, per group, using an effective rights mask or for users who are not members of the user group for an object, using one of the following:

u:<uid>:<permissions>: sets the ACL for user; <uid> can be user name or numerical UID; <permissions> are any combination of rwx

g:<gid>:<permissions>: sets the ACL for group; <gid> can be group name or numerical GID; <permissions> are any combination of rwx

m:<permissions>: sets the effective rights mask on the object; <permissions> are any combination of rwx

o:<permissions>: sets the ACL for users who are not members of the object group; <permissions> are any combination of rwx

The effective rights mask is a sum of all permissions of the object group owner and all ACLs set on the object. It represents the actual rights granted to all ACL users and groups on the object and limits their access to the level it specifies. If a user has read and write permission through an ACL but the mask is set to read, the more restrictive permission (read) is in effect. The effective mask does not apply to file owner or file group.

Numerical UID or GID can be specified for a non-existing user or group, respectively. If the actual user or group name is specified, they must exist on the system, otherwise the setfacl command exits with an error.

To specify multiple ACLs on the same line, separate them by commas. Blank spaces are ignored:

setfacl -m u:<uid>:rw,g:<gid>:rx, u:<uid>:r /dir/file

To remove an ACL entry for user, use the -x command option and do not specify any permissions:

setfacl -x u:<uid> /dir/file

To set the default ACL, prefix the rule with a d:

setfacl -m d:g:<gid>:rx /dir

ACL examples

To grant the user carlos read, write, and execute rights on all files in the /data/docs directory, run:

setfacl -R -m u:carlos:rw /data/docs

(i) Use the -R command option to recursively set ACL on all files in /data/docs directory.

To check permissions for the /data/docs directory, run:

ls -dl /data/docs
drwxrwxr-x+ 5 jerry black 4096 Nov  1 19:57 /data/docs

To check modified ACL information for the /data/docs directory, run:

getfacl /data/docs
getfacl: Removing leading '/' from absolute path names

Both of the above commands now produce a different output than previously.

The plus sign next to permission bits after the ls command shows that the ACL is now set on the object. Likewise, the getfacl output has two additional entries:

  • user:carlos:rwx indicates the additional user with the access rights on the object
  • mask::rwx denotes the effective rights on the object

The setfacl command also accepts input from text files. This is useful if identical long rules must be set for large number of objects. To accomplish this, create a plain text file (rules.txt in the next example) with a rule per line and use the -M command option to set ACL on all html files in a directory /dir:

setfacl -M rules.txt /dir/*.html

The format of the rules.txt file is the same as an output of the getfacl command with the --omit-header option:

getfacl --omit-header /data/etc/conf/script1.cfg


This is very useful if the same ACL must be applied to some other files. You can create the rules.txt file by simply redirecting the output of the getfacl command:

getfacl --omit-header /data/etc/conf/script1.cfg > rules.txt

cat rules.txt

Copying And Archiving ACLs

Common file utilities mv and cp on Fedora support ACLs. Archiving tools such as tar and dump do not have support for ACLs and the star utility should be used to preserve ACLs while archiving files.

Copying And Moving ACLs

To copy the file or directory while preserving ACLs, use the -p or -a command option:

cp -p /dir1/file1 /dirx/file2
The /dirx directory must reside on a partition mounted with the acl option to copy the ACL of file1 to file2.
cp -a /dir1/dir2 /dirx/dir3
The /dirx directory must reside on a partition mounted with the acl option to copy the ACLs of dir2 to dir3.

The mv command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs.

Archiving ACLs

To archive the files or directories while preserving ACLs, use the star command with the -acl option:

star -c -acl /data

This creates the archive of /data directory with preserved ACLs.

To restore the star archive and ACLs, run star with the -acl command option:

star -x -acl

This extracts the archive into current directory with preserved ACLs. The target filesystem being extracted to must support ACLs for this to work.

Additional Information

Related web sites

ACLs web site: [1]

Related manuals

For more information on ACLs and associated utilities, read the following manual pages:

  • man acl
  • man getfacl
  • man setfacl
  • man star