• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Specifying granular UNIX file permissions using SETFACL

Specifying granular UNIX file permissions using SETFACL

April 26, 2020 - by Zsolt Agoston - last edited on July 27, 2020

UNIX type systems use the octal file permission model, that is limited in terms of setting access permissions for specific users and groups. By default there are only three attributes to be set on files and directories: for the owner, for the owner group and everyone else can have read, write and execute permissions allowed or denied. For example, here is Bob who has a file with his favorite recipes, and he has the below permissions set on the file:

-rw-r----- 1 Bob  WholeOffice   20 Apr 26 09:07 FavoriteRecipes.txt

Let's check the permissions on the file. Bob is the owner so and he has read-write permissions on the file. The owner group is WholeOffice, everyone who is a member of that group can read the file, but cannot write it. Bob asked Alice to add her excellent goulash recipe to the file. Now, Alice is a member of the WholeOffice group but, so we could give the WholeOffice group write permissions on the file, but Bob wants only Alice to edit the file, he doesn't want anyone else to touch his recipes. What can we do? File access control lists to the rescue!

Before You Begin

First of all we need to make sure that the acl software package is installed on the system. In the latest versions of linux distributions the acl package is installed by default, and enabled when a filesystem is mounted on the system, but check before you begin.

# Ubuntu and Debian
apt-get install acl

# RHEL, Centos, Fedora yum
install acl

Also, acl used to be not enabled on ext4 file systems when mounted with default settings. You can verify if it enabled on yours with the tun2fs command.

# Check if acl is added by default at mount
root@linux:/home# tune2fs -l /dev/sdb1 | grep "Default mount options"

Default mount options: user_xattr acl

If "acl" is not among the defaults, add it to the mount options in the /etc/fstab file Specifying granular UNIX file permissions using SETFACL

Set granular access rights

We simply give Alice write permissions on the file with the following simple command

setfacl -m u:Alice:rw /home/Bob/FavoriteRecipes.txt

We use -m to modify the acl on the file, giving u (user) Alice w (write) permissions.

-rw-rw----+ 1 Bob WholeOffice 20 Apr 26 09:07 FavoriteRecipes.txt

As a result, when listing the file we see a "+" sign after the permission bits, that means granular access permissions are set.

Specifying granular UNIX file permissions using SETFACL

The getfacl command shows us all the set permissions. Note that if a granular entry exists for Alice that will overwrite her default UGO permissions, meaning although she is a member of the WholeOffice group - so she should have read access already - if we don't specify "rw" in the setfacl command, only using "w", she won;'t be able to read the file. Alice can now freely edit the recipes!

Default ACL permissions (inheritance)

Elaborating on the previous example, Bob wants Alice to have write permissions on all the new files he will create in his home folder. This case we can use the -d (default) switch with setfacl, and setting these default permissions on his home directory in this case.

setfacl -d -m u:Alice:rw /home/Bob

Specifying granular UNIX file permissions using SETFACL

After creating a new file in will inherit the default permissions.

Specifying granular UNIX file permissions using SETFACL

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Before You Begin
  • Set granular access rights
  • Default ACL permissions (inheritance)

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}