PkgBlog: acl

Tools and libaries for POSIX access control lists
Package series/name: a/acl-2.2.52-x86_64-1
Official release: source and package
Blog entry created: 2018-07-15 and last updated 2018-07-20
Tagged: series_a core-system permissions file-utils

At last! This is the sort of package that made me want to create this blog in the first place: I’m learning new stuff, finding out the purpose for some commands, and reading new man pages.

What are POSIX Access Control Lists (ACLs)?

Here’s a great summary by Min H. Kao. In short, Access Control Lists are another set of permissions we can apply to a file (or directory) just like classic Unix file permissions. They are stored in metadata just like classic permissions.

ACLs extend the classic permissions by allowing you to set read, write, and execute (rwx) permissions on a file for any number of specifc users or groups. Another neat feature is that unlike classic permissions, you don’t have to even be a member of a group to give it access to a file.

Commands

There are three commands that come with this package: chacl, getfacl, and setfacl. All three are ELF binaries found in /usr/bin/. All three come with man pages.

CommandMan description
chaclchange the access control list of a file or directory
getfaclget file access control lists
setfaclset file access control lists

Near as I can tell, chacl can do the same job as the other two utilities, but provides more of a HP-UX and IRIX experience?

Trying it out

I’d like to let my imaginary friend Arthur edit a poem of mine.

First, let’s create a user account for Arthur:

$ sudo useradd arthur

Now, normally I can’t give just Arthur permission to edit my poem. I can’t even make him the temporary owner, since I’m not the superuser:

$ chown arthur slippery-toots.txt
chown: changing ownership of 'slippery-toots.txt': Operation not permitted

Let’s see what ACLs can do for us. First, let’s see what we already have with getfacl:

$ getfacl slippery-toots.txt
# file: slippery-toots.txt
# owner: dave
# group: users
user::rw-
group::r--
other::r--

And chacl:

$ chacl -l slippery-toots.txt
slippery-toots.txt [u::rw-,g::r--,o::r--]

Okay, so both utilities show the classic Unix permissions which are already set on this file.

(Give me a moment to read the man page for setfacl…​)

Now let’s try adding read and write permissions for Arthur:

$ setfacl -m u:arthur:rw slippery-toots.txt

And list them with both commands:

$ getfacl slippery-toots.txt
# file: slippery-toots.txt
# owner: dave
# group: users
user::rw-
user:arthur:rw-
group::r--
mask::rw-
other::r--
$ chacl -l slippery-toots.txt
slippery-toots.txt [u::rw-,u:arthur:rw-,g::r--,m::rw-,o::r--]

Looks good. Does it work?

$ sudo su arthur
arthur@poems$ ls -l
-rw-r--r--  1 dave users  1271 Jul  7  2017 wiggler-house.txt
-rw-rw-r--+ 1 dave users   207 Jul 15 18:26 slippery-toots.txt
arthur@poems$ echo "The End" >> wiggler-house.txt
bash: wiggler-house.txt: Permission denied

So far so good, Arthur cannot write to wiggler-house.txt, which is a different poem. (Also note the + next to the permissions column for slippery-toots.txt in the extended file listing!)

Now the moment of truth:

arthur@poems$ echo "The End" >> slippery-toots.txt

Yes! Arthur can edit my poem!

Is chacl needed?

As I mentioned above, I get the impression that chacl is included only for compatibility reasons (such as scripts which might depend on it).

I found it less intuitive to use since it requires a "mask entry" for any ACL that contains more than the classic permissions (or "minimum" entry in the terminology of the man page) such as our Arthur entry.

The man page did not describe how, exactly a mask entry works, but a Unix & Linux Stack Exchange answer points to a good explanation. Here’s my take: basically, a "mask" entry is actually the maximum permission that will be granted on the file in case of doubt. It sounds as if the mask mostly exists to support backward compatibility.

At any rate, setfacl seems to create the mask entry for us (if you look at the output for our slippery-toots.txt file above, you’ll see it), whereas chacl requires that we write it as well. Between that and the lack of explanation in the man page, chacl seems far less friendly.

I don’t mind that it’s terse.

There’s always more to explore

There are tons of options with both the getfacl and setfacl commands.

Here’s a nice alternative tabular display:

$ getfacl -t slippery-toots.txt
USER   dave      rw-
user   arthur    rw-
GROUP  users     r--
mask             rw-
other            r--

I don’t have a lot of use for ACLs (the classic Unix permissions cover 99.7% of my needs), but when you need 'em, they’re wonderfully handy.

Until next time, happy hacking!

Update

Now that I’ve explored the attr package with its setfattr and getfattr tools, I have further learned exactly how the Linux kernel uses the extended file attribute metadata to store the ACL data. Check it out!