IUCS CSG FAQ - How do I use Unix Access Control Lists (ACLs)?

School of Informatics

IU Home | IUB Home | IUB Informatics

Home

Facilities
   FAQ
   System Notices
   Help
   Hardware
   Software
   Network
   Policies
   CSG Staff
   Lindley Hall

CSG FAQ

Q: How do I use Unix Access Control Lists (ACLs)?

This document contains information about using Access Control Lists to control access to files and directories on the CS Linux/UNIX systems. You may also want to see the Unix File Permissions FAQ entry to get further information about basic file and directory permissions under Unix.

Index

ACL Introduction
Basic Commands and Operations
ACLs on Directories
A Cookbook Example
Backups Notes
Emacs and Disk Quota Notes
Other Sources of Information

ACL Introduction
Under Solaris and Linux you can use what are called Access Control Lists, or ACLs. The ACL functionality gives a user the ability to, among other things, grant file permissions on a user-by-user basis. So, for example, you can create a file that is readable by joeuser and janeuser but only writable by janeuser. ACLs provide a much higher degree of control over permissions than standard Unix groups. In addition, they are completely under the control of the owner of the file. You don't need the system administrator to create and maintain groups for you.
Basic Commands and Operations
The two main commands you will use to manipulate ACLs are setfacl and getfacl. For example, if I have a file named hello.c, I can set the ACL to only allow the owner of the file to read and write the file with:
setfacl -s user::rw-,group::---,mask:rw-,other:--- hello.c
In this example, the owner gets read/write permissions (rw-) while the group and world (or other) get no permissions (---). I can then grant read-only access to user shei with:
setfacl -m user:shei:r-- hello.c
and read-write access to user schisham with:
setfacl -m user:schisham:rw- hello.c
After setting the ACL on the file, note that ls shows a + after the normal permission list:
	% ls -l hello.c
	-rw-rw----+   1 robh     staff           0 Sep  3 10:07 hello.c
The + signifies that there is an ACL set for the file. You can then use getfacl to display the ACL for the file:
	% getfacl hello.c

	user::rw-
	user:shei:r--           #effective:r--
	user:schisham:rw-               #effective:rw-
	group::rw-              #effective:rw-
	mask:rw-
	other:---
The ACL shows that user shei has read access and user schisham has read/write access. Once you have an ACL set on one file, you can duplicate this ACL for other files by creating an ACL file and using this to set the ACL of other files:
	% getfacl hello.c > ACLfile
	% setfacl -f ACLfile goodbye.c
You can do the same thing without actually creating the ACLfile using:
getfacl hello.c | setfacl -f - goodbye.c

ACLs on Directories
You can also set ACLs on directories as well as on files. ACLs on directories introduce a new concept called the default ACL for the directory. This default ACL is used to set the ACL for all files that are created within the directory. To do this, you specify the default ACL as follows:
setfacl -s user::rwx,group::---,mask:rwx,other:---,default:user::rw-,default:group::---,default:mask:rwx,default:other:--- SomeDirectory
which only gives the owner read/write/execute (rwx) permission on the directory and on file created in the directory. You can then give user shei read and execute permission on the directory:
setfacl -m user:shei:r-x SomeDirectory
and read access to all files created in the directory:
setfacl -m default:user:shei:r-- SomeDirectory
You probably also want to give yourself read access for files created in the directory so that you can access files other users create.
setfacl -m default:user:robh:r-- SomeDirectory

A Cookbook Example
This section describes the procedure for using ACLs to share files in a group project directory. The example assumes that multiple people will be editing a common source file and building an executable from this file.
First, make the shared directory
% mkdir GroupProject
Then, setup the basic ACL for the directory
% setfacl -m user::rwx,group::---,mask:rwx,other:---,default:user::rwx,default:group::---,default:mask:rwx,default:other:--- GroupProject
Give user juser write permission on the directory
% setfacl -m user:juser:rwx GroupProject
Give user juser and yourself read/write permission to files created in the directory
% setfacl -m default:user:juser:rwx GroupProject
% setfacl -m default:user:robh:rwx GroupProject
Note that you would replace "robh" with your username. Then, cd to the directory and create a file we need to share
% cd GroupProject
% vi hello.c
We see that juser has read and write access to this file:
	% getfacl hello.c

	user::rw-
	user:juser:rwx         #effective:rw-
	group::---              #effective:---
	mask:rw-
	other:---
We then create an executable named hello from hello.c:
	% make hello
	cc -o hello hello.c
	%
We then check the ACL for the hello executable:
	% getfacl hello

	user::rwx
	user:juser:rwx         #effective:rwx
	group::---              #effective:---
	mask:rwx
	other:---
You see that, as with the other file we created, user juser has write permission. So, juser could then come and edit the hello.c file and rebuild the hello executable.
Backup Notes
It should be noted that the system backups we are doing do not capture acl information. So, if a file or files have to be restored from backups, the acl information will have to be manually recontructed. For this reason, it would be wise for users to keep track of any acls they create. One way to do this is to run getfacl and save the output to a file. This file can also be used to create other acls using 'setfacl -f'.
Emacs and Disk Quota Notes
Also note that there are implications related to disk quotas. For example, if user1 grants write access for a directory to user2, then any files that user2 creates in that directory fall within the quota contraints for user2 on that partition. If user1 and user2 are are different disk partitions, then user2 will have a zero quota on that partition and will not be able to create files. There are two workarounds for this problem. First, you can request that home directories be moved to a single partition. Second, if user1 creates a file then user2 can edit the file as long as the ownership doesn't change. Some editors, such as emacs, like to rewrite files thereby changing the ownership which will fail. In emacs, you can add the following to your .emacs file to prevent emacs from rewriting files:
(setq backup-by-copying t)

Other Sources of Information
Probably the best source of additional information is the man pages for setfacl and getfacl. There is a section on Securing Files in the Sun Answerbook that gives more information. There is also a SunWorld Online article about ACLs that you may find useful.

Home || Facilities: FAQ | System Notices | Help | Hardware | Software | Network | Policies | CSG Staff | Lindley Hall

Page Owner: Rob Henderson
Last Modified: May 21, 2008 2:16pm

IU Computer Science Department
Email: info@IU CS Department

See an error in this FAQ entry? Please report it.

[Return to the FAQ index]

[Site Map]

Home  ||   Facilities: FAQ | System Notices | Help | Hardware | Software | Network | Policies | CSG Staff | Lindley Hall

  Page Owner: Webmaster
  Last Modified: May 21, 2008 2:16pm

IU Computer Science Department
Email: info@IU CS Department

Copyright © The Trustees of Indiana University | Copyright Complaints