Filesystem/Access Control List Guide

A ccess C ontrol L ist (ACL or POSIX ACL) is an additional security control feature for multiuser systems. POSIX ACL facilitates a more fine-grained control over filesystem permissions than the basic POSIX RWX bits do.

Installation

Kernel

Enable POSIX Access Control Lists ( CONFIG_*_POSIX_ACL ) for each filesystem that is intended to leverage ACLs.

File systems --->
  <*> Second extended fs support
  [*]   Ext2 extended attributes
  [*]     Ext2 POSIX Access Control Lists
  <*> The Extended 3 (ext3) filesystem
  [*]   Ext3 POSIX Access Control Lists
  <*> The Extended 4 (ext4) filesystem
  [*]   Ext4 POSIX Access Control Lists
  <*> JFS filesystem support
  [*]   JFS POSIX Access Control Lists
  <*> XFS filesystem support
  [*]   XFS POSIX ACL support
  <*> Btrfs filesystem support
  [*]   Btrfs POSIX Access Control Lists
  <*> F2FS filesystem support
  [*]   F2FS extended attributes
  [*]     F2FS Access Control Lists

USE flags

Emerge

Utilities for manipulating ACLs are available in sys-apps/acl :

Additional software

The sys-apps/apply-default-acl package provides a utility improving ACL user experience.

Configuration

Some filesystems, such as ext4 , XFS , or Btrfs , enable ACLs by default when mounted . Other filesystems may require extra mount options to enable POSIX ACLs.

For example, in case of ext4 there is the acl mount option ^[1] available. It can be used in /etc/fstab as:

/dev/sda1    /    ext4    noatime,user_xattr,acl    0 1

Usage

The sys-apps/acl provides setfacl , getfacl , and chacl utilities.

Get/read ACL

The getfacl utility is used to read ACLs assigned on files and directories.

For example, to get ACLs on testfile :

# file: testfile
# owner: larry
# group: larry
user::rw-
user:notlarry:r-x
group::r--
mask::r-x
other::r--

Set/modify ACL

The setfacl utility is used to set ACLs on files and directories.

Examples

To add larry to have read, write and execute permissions on testfile :

To add larry to have +write access on testfile :

To add default user access right to read and write permissions on testdir :

To add groupname to have read, write and execute permissions on testfile :

To add groupname to have recursive +execute permissions on testdir :

To add default group access right to read and write permissions on testdir :

To remove ACLs from testfile :

To remove default ACL from testdir :

ACL mask

Troubleshooting

Which files/directories leverage ACLs?

The ls command used with the -l option displays a + sign if the listed file uses ACL.

Notice the + sign on both apache2 and named .

total 54632
drwxr-xr-x+ 2 apache  apache       135 Dec 11 17:48 apache2
-rw-r-----  1 root    root       25085 Jan  4 14:26 dmesg
-rw-rw----  1 portage portage    22088 Jan  4 01:06 emerge-fetch.log
-rw-rw----  1 portage portage  1498948 Jan  4 04:06 emerge.log
-rw-------  1 root    root       32480 Dec 30 21:30 faillog
-rw-r--r--  1 root    root      628240 Nov  6 01:47 genkernel.log
-rw-r--r--  1 root    root      296380 Jan  4 18:43 lastlog
-rw-------  1 root    root    47973000 Jan  4 19:40 messages
drwxr-xr-x  2 mysql   mysql         82 Dec 11 22:04 mysql
drwxrwx---+ 2 named   named       4096 Jan  3 18:09 named
drwxr-xr-x  2 root    root          18 May 14  2010 news
drwxr-xr-x  3 root    root      167936 Jan  4 04:24 portage
-rw-r--r--  1 root    root       88301 Jan  4 14:26 rc.log
drwxr-xr-x  3 root    root        4096 Jan  2 02:55 samba
drwxrwx---  2 root    portage       37 Dec 11 15:21 sandbox
-rw-------  1 root    root       64960 Jan  2 02:59 tallylog
-rw-------  1 root    root         560 Nov 11 02:35 vsftpd.log
drwxr-xr-x  2 root    root          63 Sep 12  2010 webmin
-rw-rw-r--  1 root    utmp     1178112 Jan  4 18:43 wtmp

External resources

• Linux manual page for setfacl

References