Filesystem/Access Control List Guide

Access Control List (ACL or POSIX ACL) is an additional security control feature for multiuser systems. POSIX ACL facilitates a more fine-grained control over filesystem permissions than the basic POSIX RWX bits do.

Installation

Kernel

Enable POSIX Access Control Lists (CONFIG_*_POSIX_ACL) for each filesystem that is intended to leverage ACLs.

File systems --->
  <*> Second extended fs support
  [*]   Ext2 extended attributes
  [*]     Ext2 POSIX Access Control Lists
  <*> The Extended 3 (ext3) filesystem
  [*]   Ext3 POSIX Access Control Lists
  <*> The Extended 4 (ext4) filesystem
  [*]   Ext4 POSIX Access Control Lists
  <*> Reiserfs support
  [*]   ReiserFS extended attributes
  [*]     ReiserFS POSIX Access Control Lists
  <*> JFS filesystem support
  [*]   JFS POSIX Access Control Lists
  <*> XFS filesystem support
  [*]   XFS POSIX ACL support
  <*> Btrfs filesystem support
  [*]   Btrfs POSIX Access Control Lists
  <*> F2FS filesystem support
  [*]   F2FS extended attributes
  [*]     F2FS Access Control Lists

USE flags

Emerge

Utilities for manipulating ACLs are available in sys-apps/acl:

Additional software

The sys-apps/apply-default-acl package provides a utility improving ACL user experience.

Configuration

Some filesystems, such as ext4, XFS, or Btrfs, enable ACLs by default when mounted. Other filesystems may require extra mount options to enable POSIX ACLs.

For example, in case of ReiserFS there is the acl mount option^[1] available. It can be used in /etc/fstab as:

/dev/sda1    /    reiserfs    noatime,user_xattr,acl    0 1

Usage

The sys-apps/acl provides setfacl, getfacl, and chacl utilities.

Get/read ACL

The getfacl utility is used to read ACLs assigned on files and directories.

For example, to get ACLs on testfile:

# file: testfile
# owner: larry
# group: larry
user::rw-
user:notlarry:r-x
group::r--
mask::r-x
other::r--

Set/modify ACL

The setfacl utility is used to set ACLs on files and directories.

Examples

To add larry to have read, write and execute permissions on testfile:

To add larry to have +write access on testfile:

To add default user access right to read and write permissions on testdir:

To add groupname to have read, write and execute permissions on testfile:

To add groupname to have recursive +execute permissions on testdir:

To add default group access right to read and write permissions on testdir:

To remove ACLs from testfile:

To remove default ACL from testdir:

ACL mask

Troubleshooting

Which files/directories leverage ACLs?

The ls command used with the -l option displays a + sign if the listed file uses ACL.

Notice the + sign on both apache2 and named.

total 54632
drwxr-xr-x+ 2 apache  apache       135 Dec 11 17:48 apache2
-rw-r-----  1 root    root       25085 Jan  4 14:26 dmesg
-rw-rw----  1 portage portage    22088 Jan  4 01:06 emerge-fetch.log
-rw-rw----  1 portage portage  1498948 Jan  4 04:06 emerge.log
-rw-------  1 root    root       32480 Dec 30 21:30 faillog
-rw-r--r--  1 root    root      628240 Nov  6 01:47 genkernel.log
-rw-r--r--  1 root    root      296380 Jan  4 18:43 lastlog
-rw-------  1 root    root    47973000 Jan  4 19:40 messages
drwxr-xr-x  2 mysql   mysql         82 Dec 11 22:04 mysql
drwxrwx---+ 2 named   named       4096 Jan  3 18:09 named
drwxr-xr-x  2 root    root          18 May 14  2010 news
drwxr-xr-x  3 root    root      167936 Jan  4 04:24 portage
-rw-r--r--  1 root    root       88301 Jan  4 14:26 rc.log
drwxr-xr-x  3 root    root        4096 Jan  2 02:55 samba
drwxrwx---  2 root    portage       37 Dec 11 15:21 sandbox
-rw-------  1 root    root       64960 Jan  2 02:59 tallylog
-rw-------  1 root    root         560 Nov 11 02:35 vsftpd.log
drwxr-xr-x  2 root    root          63 Sep 12  2010 webmin
-rw-rw-r--  1 root    utmp     1178112 Jan  4 18:43 wtmp

External resources

• Linux manual page for setfacl

References