ACL Command Example in Linux/UNIX

Access Control List also known as ACLs. ACLs allow more fine-grained access rights for files and directories than specified by regular ugo/rwx permission. In Linux every file has a owner/group and set of permissions. Suppose in case when multiple users need access to the same file and the users are from different groups. The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file.

The standard ugo/rwx permissions does not allow to set different permissions for different individual users or groups. With ACLs this is relatively easy to do.

In this article I will show you how to set ACLc in Linux/UNIX system.

Check The File System Support ACLs

First of all make sure that your file systems are currently supporting ACLs, You can check that they have mounted with the acl option. Use tune2fs command to do this. Follow the below command to check file system support ACLs.

# tune2fs ‐l /dev/sda1 | grep "Default mount options:"
Default mount options: user_xattr acl

If above command says that your file system does not support ACLs, In most cases due to the noacl option being present in /etc/fstab.

In this case, remove noacl option and unmount the file system then mount it again. You can also reboot your system make apply changes to /etc/fstab

Recent distro have ACL mount option included by default (since kernel 2.6). So it’s not mandatory to redefine it in /etc/fstab (or similar). Non exhaustive list of filesystems concerned: ext3, ext4, tmpfs, xfs and zfs .

If you have older setup then you may have to recompile the kernel and/or add acl in

/etc/fstab.
fstab example: /dev/root  /  ext4  acl,errors=remount-ro 0  1

For existing ACLs setting use below command.

# mount | grep -i acl

To complete this tutorial I am going to create a group named “web” and users name “neo” and “paul“.

# groupadd web
# useradd neo
# useradd paul

Add the users in web group.

# usermod -a -G web neo
# usermod -a -G web paul

Now for testing purpose create a file in /tmp directory.

# touch /tmp/test.txt
# chgrp /tmp/test.txt
# chmod 770 /tmp/test.txt

As above command neo or paul can write in /tmp/test.txt file. For example:

# su - neo
$ echo " Neo is a hero of Matrix movie" > /tmp/test.txt
$ exit
# su - paul 
$ echo "Paul is player of Taken3 game" > /tmp/test.txt
$ exit

Set ACLs in Linux

There are two types of ACLs:
1. Access ACLs are (which are applied to a file or directory), and
2. Default (optional) ACLs, which can only be applied to a directory.

If files inside a directory where a default ACL has been set do not have a ACL of their own, they inherit the default ACL of their parent directory.

Now create a new user named sagar and give read and write access to /tmp/test.txt file. First check the current ACL setting using below command.

# getfacl /tmp/test.txt

# file: /tmp/test.txt
# owner: root
# group: web
user::rwx
group::rwx
other::---

Next, change the ACLs on the file, use u: followed by the username and :rw to indicate read / write permissions:

# setfacl -m u:sagar:rw /tmp/test.txt

Now run getfacl command gain to compare result.

# getfacl /tmp/test.txt

# file: /tmp/test.txt
# owner: root
# group: web
user::rwx
user:sagar:rw-
group::rwx
other::---

As now you can see user sagar is able to write to the file.

# su - sagar
$ echo "My name is sagar" >> /tmp/test.txt

Lets set a default ACL to a directory using d: option during setfacl command.

# mkdir /tmp/test
# touch /tmp/test/test.txt
#getfacl /tmp/test
# file: tmp/test
# owner: root
# group: web
user::rwx
group::rwx
other::---

# setfacl -m d:o:r /tmp/test
# getfacl /tmp/test

# file: tmp/test
# owner: root
# group: web
user::rwx
group::rwx
other::---
default :user::rwx
default :group::rwx
default :other::r---

Above ACL will allow users not in the owner group to have read access to the future contents of the /tmp/test directory. Note the difference in the output of getfacl /tmp/test before and after setting acl.

Remove ACLs

Now lets remove ACLs, to remove ACLs replace –m in the command above with –x. As shown below.

# setfacl -x d:o /tmp/test

You can also use the –b option as shown below.

# setfacl -b /tmp/test

ACLs Backup

Some time the backup software may not copy the metadata related to the FACL on the files. In that case you may want to backup the FACL information on the files. Now, the FACL on all the files in a directory (including all sub directories) can be copied in a single file.

# cd /tmp/test
# getfacl -R * > test-bkp_facl

–R is used for recursive

Restore ACLs From Backup File

Follow the below command to restore the ACLs backup file.

# setfacl --restore=test-bkp_facl