The Linux command setfacl allows users to set extensive Access Control Lists on files and directories. Normally, using chmod command, you will be able to set permissions for the owner/group/others. But, in case you may need to provide file permissions for some other users too, that can’t be done using chmod. Setfacl will assist you to get rid of such troubles.
For example, we cannot set up different permission sets for different users on same directory or file. Thus, Access Control Lists (ACLs) were implemented. You can view the current ACL set on files and directories using getfacl command.
In order to use setfacl on a file/directory, the residing filesystem should have acl support enabled. If the filesystem doesn’t support acl, you will get “operation not supported” error. In that case, you need to add acl support to the filesystem in /etc/fstab as follows and then remount the filesystem.
Check if Kernel has ACL Support
Run the following command to check for ACL Support for file system and POSIX_ACL=Y option (if there is N instead of Y, then it means Kernel doesn’t support ACL and needs to be recompiled).
root@linoxide:/home# grep -i acl /boot/config* CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_GENERIC_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_HFSPLUS_FS_POSIX_ACL=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y
Checking if the filesystem supports ACL
You can try this with:
$ cat /etc/fstab
On some systems looking at fstab will not show you if the filesystem supports acl, but rather display just "defaults" as the mount options:
root@linoxide:/home# cat /etc/fstab LABEL=cloudimg-rootfs / ext4 defaults 0 0
In that case, you can use the following command to check if the filesystem is mounted with acl support:
root@linoxide:/home# tune2fs -l /dev/sda1 tune2fs 1.42.9 (4-Feb-2014) Filesystem volume name: cloudimg-rootfs Last mounted on: / Filesystem UUID: 2e294961-ce03-483e-a53e-ff3fc4514bd4 Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize Filesystem flags: signed_directory_hash Default mount options: user_xattr acl
If your filesystem has not been mounted with the ‘acl’ option, you can re-mount it giving the needed option:
# mount -o remount -o acl /dev/sda1
Check for Required Packages
To use Linux ACLs make sure that you have required packages installed. Below are the required packages that need to be installed using yum or apt-get.
For RedHat based systems:
$ sudo yum install nfs4-acl-tools acl libacl
For Debian based:
$ sudo apt-get install nfs4-acl-tools acl
Now we can go through various usages of “setfacl” command. Firstly, we should create a folder called “test_folder” as root user.
root@linoxide:/home# mkdir test_folder root@linoxide:/home# getfacl test_folder/ # file: test_folder/ # owner: root # group: root user::rwx group::r-x other::r-x
1. Providing ACL for an individual User
Suppose, you want to give full access to the user “test” (it can be any user at all) on the directory “test_folder”. This can be done using setfacl as follows.
root@linoxide:/home# setfacl -m u:test:rwx test_folder/ root@linoxide:/home# getfacl test_folder/ # file: test_folder/ # owner: root # group: root user::rwx user:test:rwx group::r-x mask::rwx other::r-x
2. Providing ACL for all users of a group
If you want to provide write access permission for all the users of the group “testg” to the folder “test_folder”, you can do it the following way.
root@linoxide:/home# setfacl -m g:testg:w test_folder/ root@linoxide:/home# getfacl test_folder/ # file: test_folder/ # owner: root # group: root user::rwx user:test:rwx group::r-x group:testg:-w- mask::rwx other::r-x
3. Revoking acl of a user/group
If you want to revoke the permissions that we’ve given for the user test and the group testg, you can use setfacl command as follows.
root@linoxide:/home# setfacl -x u:test,g:testg test_folder/ root@linoxide:/home# getfacl test_folder/ # file: test_folder/ # owner: root # group: root user::rwx group::r-x mask::rwx other::r-x
4. Copying ACL of one file/directory to another
Suppose, you want to have the same ACL set of test_folder on test_folder1 too, you can set it by copying the ACL as follows.
root@linoxide:/home# getfacl test_folder/ > acl.txt root@linoxide:/home# mkdir test_folder1 root@linoxide:/home# setfacl -M acl.txt test_folder1/ root@linoxide:/home# getfacl test_folder1/ # file: test_folder1/ # owner: root # group: root user::rwx user:test:rwx group::r-x group:testg:-w- mask::rwx other::r-x
In this tutorial, we have seen the basic usage of getfacl and setfacl tools for Access Control Lists to set and revoke some permissions to test_folder. We also learned how to check for Kernel and filesystem acl support and how to install the required packages. If you have any thoughts or comments about linux acl, please write it down in the comments section below.