Ubuntu 24.04
Sponsored Link

ACL : Access Control List2024/05/13

 
Set ACL (Access Control Lists) to files or directories.
It's possible to set access permission more strictly than Posix Linux ACL.
[1] Install ACL tools.
root@dlp:~#
apt -y install acl
[2] To use ACL, it needs to set acl option to filesystems which can use ACL feature like ext2/ext3/ext4 or xfs and also needs to enable ACL option on those filesystems. For Ubuntu with default [ext4], ACL option is already eanbled by default mount option on devices.
root@dlp:~#
df -hT /

Filesystem                        Type  Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv ext4   77G  9.1G   64G  13% /

# show default mount option

root@dlp:~#
tune2fs -l /dev/ubuntu-vg/ubuntu-lv | grep "Default mount options"

Default mount options:    user_xattr acl     # acl option is enabled
[3] If you manually set ACL option to filesystems, set like follows.
# mount with acl option to enable ACL

root@dlp:~#
mount -o acl /dev/sdb1 /mnt

root@dlp:~#
mount | grep sdb1

/dev/sdb1 on /mnt type ext4 (rw,acl)
# otherwise, add ACL option to default mount option

root@dlp:~#
tune2fs -o acl /dev/sdb1

root@dlp:~#
tune2fs -l /dev/sdb1 | grep "Default mount options"

Default mount options: acl
[4] Set ACL.
For example, Create a file [/home/test.txt] with [root:root(700)] and set to ACL.
root@dlp:~#
ll /home/test.txt

-rw------- 1 root root 13 May 13 03:34 /home/test.txt

# set r(read) for [ubuntu] user to /home/test.txt

root@dlp:~#
setfacl -m u:ubuntu:r /home/test.txt
# after setting ACL, [+] is added on attribute

root@dlp:~#
ll /home/test.txt

-rw-r-----+ 1 root root 13 May 13 03:34 /home/test.txt

# confirm settings

root@dlp:~#
getfacl /home/test.txt

# file: home/test.txt
# owner: root
# group: root
user::rw-
user:ubuntu:r--
group::---
mask::r--
other::---

# verify accesses with [ubuntu] user

ubuntu@dlp:~$
cat /home/test.txt

ACL test file  
# read normally
# verify accesses with another user

noble@dlp:~$
cat /home/test.txt

cat: /home/test.txt: Permission denied  
# denied normally
[5] Set ACL to a directory recursively.
# set r-x(read/execute) for [ubuntu] to [/home/testdir] recursively

root@dlp:~#
setfacl -R -m u:ubuntu:rx /home/testdir
root@dlp:~#
ll -laR /home/testdir

/home/testdir:
total 12
drwxr-x---+ 2 root root 4096 May 13 03:38 ./
drwxr-xr-x  5 root root 4096 May 13 03:38 ../
-rw-r-x---+ 1 root root   13 May 13 03:38 testfile.txt*

root@dlp:~#
getfacl -R /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:ubuntu:r-x
group::---
mask::r-x
other::---

# file: home/testdir/testfile.txt
# owner: root
# group: root
user::rw-
user:ubuntu:r-x
group::---
mask::r-x
other::---

# verify with [ubuntu]

ubuntu@dlp:~$
cat /home/testdir/testfile.txt

ACL testfile
[6] Set ACL by group.
# set rw(read/write) for [security] group to [/home/test.txt]

root@dlp:~#
setfacl -m g:security:rw /home/test.txt

root@dlp:~#
getfacl /home/test.txt

# file: home/test.txt
# owner: root
# group: root
user::rw-
user:ubuntu:r--
group::---
group:security:rw-
mask::rw-
other::---

# verify with [ubuntu] user who is in [security] group

ubuntu@dlp:~$
echo "test write" >> /home/test.txt

ubuntu@dlp:~$
cat /home/test.txt

ACL test file
test write
# verify with another user who is not in [security] group

noble@dlp:~$
echo "test write" >> /home/test.txt

-bash: /home/test.txt: Permission denied
[7] Remove ACL.
# remove ACL from [/home/test.txt]

root@dlp:~#
setfacl -b /home/test.txt
# remove ACL only for [ubuntu] user on [/home/testfile.txt]

root@dlp:~#
setfacl -x u:ubuntu /home/test.txt
[8] Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL,
default access attribute is inherited. But be careful, if you change posix attribute with [chmod], then ACL would be invalid.
root@dlp:~#
setfacl -m u:ubuntu:r-x /home/testdir
# set default ACL [r-x(read/execute)] for [ubuntu] to [/home/testdir] directory

root@dlp:~#
setfacl -d -m u:ubuntu:r-x /home/testdir

root@dlp:~#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:ubuntu:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:ubuntu:r-x
default:group::---
default:mask::r-x
default:other::---

root@dlp:~#
umask 077; echo "ACL default setting" > /home/testdir/test.txt

root@dlp:~#
ll /home/testdir/test.txt

-rw-r-----+ 1 root root 20 May 13 03:44 /home/testdir/test.txt

# verify with [ubuntu]

ubuntu@dlp:~$
cat /home/testdir/test.txt

ACL default setting
[9] Remove default ACL.
root@dlp:~#
setfacl -k /home/testdir

root@dlp:~#
getfacl /home/testdir

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:ubuntu:r-x
group::---
mask::r-x
other::---
[10] Set ACL from a configuration file.
# create a configuration file for ACL
# if there are ACLs you'd like to set on other system, there is a way to export with [getfacl] command

root@dlp:~#
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:ubuntu:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:ubuntu:r--
group::---
mask::r--
other::---

root@dlp:~#
setfacl --restore=acl.txt

root@dlp:~#
ll /home

total 24
drwxr-xr-x   5 root   root   4096 May 13 03:38 ./
drwxr-xr-x  23 root   root   4096 May 13 03:33 ../
drwxr-x---   2 noble  noble  4096 May 13 03:37 noble/
-rwxr-----+  1 root   root     24 May 13 03:42 test.txt*
drwxr-x---+  2 root   root   4096 May 13 03:44 testdir/
drwxr-x--x   7 ubuntu ubuntu 4096 May 13 02:47 ubuntu/
Matched Content