access control list (acl)

This describes POSIX acl.

The access control list provides a flexibel permission mechanism next to the UNIX file permissions. This allows to specify fine grained permissions for users/groups on filesystems.

Filesystems which support acl typically have an acl option, which must be specified while mounting when it is not a default option. Filesystems must be mounted with the acl option if not enabled as default option.

Files or folder that have an acl defined, can be identified by the + sign next to the UNIX permissions.

The following shows on example for a zfs filesystem.

# mount | grep tank
tank on /tank type zfs (rw,xattr,noacl)
tank/foo on /tank/foo type zfs (rw,xattr,posixacl)

# ls -h /tank
drwxrwxr-x+ 2 root root 4 11. Jun 14:26 foo/

Show acl entries

# List current acl entries.
getfacl /tank/foo

Modify acl entries

# Add acl entry for user "user123".
setfacl -m "u:user123:rwx" /tank/foo

# Remove entry for user "user123".
setfacl -x "u:user123" /tank/foo

# Add acl entry for group "group456".
setfacl -m "g:group456:rx" /tank/foo

# Add acl entry for others.
setfacl -m "o:rx" /tank/foo

# Remove extended acl entries.
setfacl -b /tank/foo

Masking of acl entries

The mask defines the maximum access rights that can be given to users and groups.

# Update the mask.
setfacl -m "m:rx" /tank/foo

# List acl entries.
getfacl /tank/foo
# file: tank/foo
# owner: root
# group: root
user::rwx
user:user123:rwx     # effective:r-x
group::r-x
mask::r-x
other::rwx

References