Skip to main content

How to create and use file access control lists in Linux

Simplify your life by using ACLs to assign specific permissions for users or groups.
Image
6 doors for access control

Image by Arek Socha from Pixabay

In Linux, permissions are an important mechanism to govern who has access to files. If a file doesn't grant permission to a user or a group, that user and group cannot access that file. There are three types of permissions: read (r), write (w), and execute (x). They are distributed across user, group, and "other" identities.

[ For more insight, see Linux file permissions explained. ]

You can view the permissions assigned to a file using the ls command and the -l option:

$ ls -l sample
drwxrwxr-x.  2    user1    group1         6 Nov 11 20:16 sample

What is an ACL?

An access control list (ACL) lets you assign permissions for each unique user or group. Suppose you have user1, user2, and user3 on a system.

Users user2 and user3 are part of a demo group. You must assign this permission scheme to the sample directory:

  • user1: read and write permission
  • user2: read permission

You can use the setfacl and getfacl command utilities to assign and verify the ACL of a file or directory. To set an ACL, use the setfacl command with the --modify (-m for short) option:

$ setfacl --modify user1:rw sample
$ setfactl –modify user2:r sample

To verify an ACL, use getfacl:

$ getfacl sample
# file: sample
# owner: tux
# group: tux
user::rwx
user:user2:r--
user:user1:rw-
group::rwx
mask::rwx
other::r-x

Looks good!

[ Download now: A sysadmin's guide to Bash scripting. ]

Try an exercise

Suppose you have users called user1, user2, and user3, and the groups demo1 and demo2.

The demo1 group contains user1 and user2, and demo2 contains user2 and user3.

You need to set these permissions for a shared directory:

  • user1: read and write
  • user2: read
  • user3: read and write and execute
  • demo1: read and write
  • demo2: read and write and execute
  • other: read

To create this ACL, use setfacl:

$ setfacl -m u:user1:rw \
-m u:user2:r \
-m u:user3:rwx \
-m g:demo1:rw \
-m g:demo2:rwx \
-m o:r sample

[ Learn how to manage your Linux environment for success. ]

Check your work

View the ACLs using the getfacl command:

$ getfacl sample
# file: sample
# owner: tux
# group: tux
user::rwx
user:user1:rw-
user:user2:r--
user:user3:rwx
group::r-x
group:demo1:rw-
group:demo2:rwx
mask::rwx
other::r--

All user and group permissions are listed and set correctly.

Delete an ACL

Use the -x option to delete an ACL:

$ setfacl -x u:user1 sample

Better permissions

An ACL is useful for setting highly specific permissions on files. Using ACLs makes any system administrator's life easier, so don't restrict yourself to traditional permissions.

Check out these related articles on Enable Sysadmin

Topics:   Certification   Linux administration   Security  
Author’s photo

Shiwani Biradar

Shiwani Biradar is an Associate Technical support Engineer in Red Hat. She loves contributing to open source projects and communities. Shiwani never stops exploring new technologies. If you don't find her exploring technologies then you will find her exploring food. More about me

Red Hat Summit 2022: On Demand

Get the latest on Ansible, Red Hat Enterprise Linux, OpenShift, and more from our virtual event on demand.

Related Content

OUR BEST CONTENT, DELIVERED TO YOUR INBOX

Privacy Statement