101 Linux ACL
Here is the cleaned-up version of the Linux ACL (Access Control List) explanation without any special symbols:
What is ACL (Access Control List) in Linux?
Definition
ACL is a fine-grained permission system in Linux that allows you to grant different permissions to multiple users and groups on a single file or directory — something that traditional Unix permissions can't do.
Why Use ACL?
Traditional Linux file permissions only allow you to define:
-
One owner (user)
-
One group
-
Permissions for others
So you can only have 3 sets of permissions: user, group, others
But what if:
-
You want to give read access to another user
-
Or let a different group have write access
-
Without changing ownership or primary group
That's where ACL comes in.
ACL vs Traditional Permissions
| Feature | Traditional Permissions | ACL |
|---|---|---|
| Number of users/groups | 1 user, 1 group | Multiple users and groups |
| Granularity | Limited (r/w/x) | Fine-grained per user/group |
| Inheritance | No | Yes (default ACL on directories) |
Enabling and Using ACL
Check if filesystem supports ACL
Most modern Linux distros with ext4, xfs, or btrfs support it.
mount | grep acl
If not enabled, mount with:
mount -o remount,acl /mount/point
ACL Commands
1. Check current ACLs
getfacl filename
Example:
getfacl report.txt
Output:
file: report.txt
owner: prakash
group: devs
user::rw-
user:john:r--
group::r--
mask::r--
other::---
2. Add ACL for specific user
setfacl -m u:john:r file.txt
John gets read-only access, even if he is not the owner or in the group.
3. Add ACL for a group
setfacl -m g:designers:rw file.txt
Group 'designers' can read/write file.txt
4. Remove ACL entry
setfacl -x u:john file.txt
5. Set Default ACL on directory (for inheritance)
setfacl -d -m u:john:rw /project/folder
All new files inside /project/folder will automatically give john read/write access.
6. Remove all ACLs
setfacl -b file.txt
Example Scenario
You’re building a CI/CD pipeline and want:
-
Dev team to have read/write on app.conf
-
Ops team to have read-only access
-
Jenkins user to have write-only access
Using ACL:
setfacl -m g:dev:rw app.conf
setfacl -m g:ops:r-- app.conf
setfacl -m u:jenkins:-w- app.conf
Output Explanation (getfacl)
file: file.txt
owner: prakash
group: devs
user::rw-
user:john:r--
group::r--
group:designers:rw-
mask::rw-
other::---
Mask defines the maximum permission limit for all ACL users and groups (excluding the owner).
Interview-Ready Q and A
Q1: Why use ACL when traditional permissions exist?
A: Traditional permissions only allow one user and one group. ACL allows multiple users and groups to have different access levels on the same file or directory — useful in collaborative or enterprise environments.
Q2: What does 'setfacl -m u:john:rw file.txt' do?
A: It gives read/write access to user john on file.txt without changing ownership or default permissions.
Q3: What does 'mask::r--' mean in 'getfacl'?
A: The mask defines the maximum permission limit for all ACL users and groups (excluding the owner). Even if ACL grants rw-, a mask of r-- will reduce it to read-only.
Q4: How do you make ACL changes persistent across reboots?
A: ACLs are stored in extended attributes of files, and are persistent across reboots — provided the filesystem is mounted with acl support.
Q5: What’s the difference between default ACL and access ACL?
| Type | Applied to | Purpose |
|---|---|---|
| Access ACL | Files/Dirs | Overrides standard permissions |
| Default ACL | Directories | Inherited by new files/dirs |
Summary Cheat Sheet
| Command | Description |
|---|---|
| getfacl file.txt | View ACLs |
| setfacl -m u:john:rw file.txt | Set ACL for user |
| setfacl -m g:devs:rw file.txt | Set ACL for group |
| setfacl -x u:john file.txt | Remove ACL for user |
| setfacl -b file.txt | Remove all ACL entries |
| setfacl -d -m u:john:rw dir/ | Set default ACL for directory |
Let me know if you want a one-page printable PDF or a Notion-ready template with examples and command cheats.
No comments :
Post a Comment