At last! This is the sort of package that made me want to create this blog in the first place: I’m learning new stuff, finding out the purpose for some commands, and reading new man pages.
What are POSIX Access Control Lists (ACLs)?
Here’s a great summary by Min H. Kao. In short, Access Control Lists are another set of permissions we can apply to a file (or directory) just like classic Unix file permissions. They are stored in metadata just like classic permissions.
ACLs extend the classic permissions by allowing you to set read, write, and execute (
rwx) permissions on a file for any number of specifc users or groups.
Another neat feature is that unlike classic permissions, you don’t have to even be a member of a group to give it access to a file.
There are three commands that come with this package:
All three are ELF binaries found in
/usr/bin/. All three come with man pages.
|chacl||change the access control list of a file or directory|
|getfacl||get file access control lists|
|setfacl||set file access control lists|
Near as I can tell,
chacl can do the same job as the other two utilities, but provides more of a HP-UX and IRIX experience?
Trying it out
I’d like to let my imaginary friend Arthur edit a poem of mine.
First, let’s create a user account for Arthur:
$ sudo useradd arthur
Now, normally I can’t give just Arthur permission to edit my poem. I can’t even make him the temporary owner, since I’m not the superuser:
$ chown arthur slippery-toots.txt chown: changing ownership of 'slippery-toots.txt': Operation not permitted
Let’s see what ACLs can do for us.
First, let’s see what we already have with
$ getfacl slippery-toots.txt # file: slippery-toots.txt # owner: dave # group: users user::rw- group::r-- other::r--
$ chacl -l slippery-toots.txt slippery-toots.txt [u::rw-,g::r--,o::r--]
Okay, so both utilities show the classic Unix permissions which are already set on this file.
(Give me a moment to read the man page for
Now let’s try adding read and write permissions for Arthur:
$ setfacl -m u:arthur:rw slippery-toots.txt
And list them with both commands:
$ getfacl slippery-toots.txt # file: slippery-toots.txt # owner: dave # group: users user::rw- user:arthur:rw- group::r-- mask::rw- other::r--
$ chacl -l slippery-toots.txt slippery-toots.txt [u::rw-,u:arthur:rw-,g::r--,m::rw-,o::r--]
Looks good. Does it work?
$ sudo su arthur arthur@poems$ ls -l -rw-r--r-- 1 dave users 1271 Jul 7 2017 wiggler-house.txt -rw-rw-r--+ 1 dave users 207 Jul 15 18:26 slippery-toots.txt arthur@poems$ echo "The End" >> wiggler-house.txt bash: wiggler-house.txt: Permission denied
So far so good, Arthur cannot write to
wiggler-house.txt, which is a different poem.
(Also note the
+ next to the permissions column for
slippery-toots.txt in the extended file listing!)
Now the moment of truth:
arthur@poems$ echo "The End" >> slippery-toots.txt
Yes! Arthur can edit my poem!
Is chacl needed?
As I mentioned above, I get the impression that
chacl is included only for compatibility reasons (such as scripts which might depend on it).
I found it less intuitive to use since it requires a "mask entry" for any ACL that contains more than the classic permissions (or "minimum" entry in the terminology of the man page) such as our Arthur entry.
The man page did not describe how, exactly a mask entry works, but a Unix & Linux Stack Exchange answer points to a good explanation. Here’s my take: basically, a "mask" entry is actually the maximum permission that will be granted on the file in case of doubt. It sounds as if the mask mostly exists to support backward compatibility.
At any rate,
setfacl seems to create the mask entry for us (if you look at the output for our
slippery-toots.txt file above, you’ll see it), whereas
chacl requires that we write it as well.
Between that and the lack of explanation in the man page,
chacl seems far less friendly.
I don’t mind that it’s terse.
There’s always more to explore
There are tons of options with both the
Here’s a nice alternative tabular display:
$ getfacl -t slippery-toots.txt USER dave rw- user arthur rw- GROUP users r-- mask rw- other r--
I don’t have a lot of use for ACLs (the classic Unix permissions cover 99.7% of my needs), but when you need 'em, they’re wonderfully handy.
Until next time, happy hacking!
Now that I’ve explored the attr package with its
getfattr tools, I have further learned exactly how the Linux kernel uses the extended file attribute metadata to store the ACL data.
Check it out!