← ../

Linux filesystem acl

you can check if your filesystem support acl with the following command (replace /dev/sda1 by your actual filesystem) :

sudo tune2fs -l /dev/sda1 | grep "Default mount"

if it is not set by default, you will have to add the "acl" option for this filesystem in /etc/fstab

to get the current acl on a file, you have to use the getfacl command, it will display the standard permissions

userX@box:/tmp$ getfacl file

# file: file
# owner: userX
# group: userX
user::rw-
group::r--
other::r--

now lets add permissions for another user (userY) on top of the standard permissons with the setfacl command :

setfacl -m "u:userY:rw-" file

list again with getfacl :

userX@box:/tmp$ getfacl file

# file: file
# owner: userX
# group: userX
user::rw-
user:userY:rw-
group::r--
mask::rw-
other::r--

we can see that the standards permissions are unchanged, that user userY now have access to the file and that a "mask field" was created.

breaking this down :

file entry description
# file: file name of the file
# owner: userX user/owner of the file
# group: userX owning group of the file
user::rw- this is equivalent to : user:UserX:rw- (permissions of the file owner if uid is empty.)
group::r-- this is equivalent to : group:UserX:r-- (permissions of the owning group if gid is empty.)
mask::rw- this will set the effective maximum permissions for all users and group except the user/owner of the file
other::r-- permissions granted to other users on the file

sources :

https://man7.org/linux/man-pages/man5/acl.5.html

https://man7.org/linux/man-pages/man1/getfacl.1.html

https://man7.org/linux/man-pages/man1/setfacl.1.html