How to create and use file access control lists in Linux
Simplify your life by using ACLs to assign specific permissions for users or groups.
In Linux, permissions are an important mechanism to govern who has access to files. If a file doesn't grant permission to a user or a group, that user and group cannot access that file. There are three types of permissions: read (r), write (w), and execute (x). They are distributed across user, group, and "other" identities.
[ For more insight, see Linux file permissions explained. ]
You can view the permissions assigned to a file using the
ls command and the
$ ls -l sample drwxrwxr-x. 2 user1 group1 6 Nov 11 20:16 sample
What is an ACL?
An access control list (ACL) lets you assign permissions for each unique user or group. Suppose you have user1, user2, and user3 on a system.
Users user2 and user3 are part of a demo group. You must assign this permission scheme to the
- user1: read and write permission
- user2: read permission
You can use the
getfacl command utilities to assign and verify the ACL of a file or directory. To set an ACL, use the
setfacl command with the
-m for short) option:
$ setfacl --modify user1:rw sample $ setfactl –modify user2:r sample
To verify an ACL, use
$ getfacl sample # file: sample # owner: tux # group: tux user::rwx user:user2:r-- user:user1:rw- group::rwx mask::rwx other::r-x
[ Download now: A sysadmin's guide to Bash scripting. ]
Try an exercise
Suppose you have users called user1, user2, and user3, and the groups demo1 and demo2.
The demo1 group contains user1 and user2, and demo2 contains user2 and user3.
You need to set these permissions for a shared directory:
- user1: read and write
- user2: read
- user3: read and write and execute
- demo1: read and write
- demo2: read and write and execute
- other: read
To create this ACL, use
$ setfacl -m u:user1:rw \ -m u:user2:r \ -m u:user3:rwx \ -m g:demo1:rw \ -m g:demo2:rwx \ -m o:r sample
[ Learn how to manage your Linux environment for success. ]
Check your work
View the ACLs using the
$ getfacl sample # file: sample # owner: tux # group: tux user::rwx user:user1:rw- user:user2:r-- user:user3:rwx group::r-x group:demo1:rw- group:demo2:rwx mask::rwx other::r--
All user and group permissions are listed and set correctly.
Delete an ACL
-x option to delete an ACL:
$ setfacl -x u:user1 sample
An ACL is useful for setting highly specific permissions on files. Using ACLs makes any system administrator's life easier, so don't restrict yourself to traditional permissions.
How you can get the most out of your study time as you approach the Red Hat Certified System Administrator (RHCSA) and Red Hat Certified Engineer (RHCE) exams.
Use the chage command to force users to change their passwords to comply with your password-aging policies.
Understanding Linux file permissions (how to find them, read them, and change them) is an important part of maintaining and securing your systems.