Enterprise Software

Learn to use extended filesystem ACLs

Learn to use the handy filesystem ACLs to extend access controls to files and directories with more flexibility.

ACLs, or Access Control Lists, are available for a variety of Linux filesystems including ext2, ext3, and XFS. With XFS, ACL support is available pretty much "out of the box" and with ext2/ext3, it's available via a kernel patch that most Linux vendors have applied to the binary kernels they provide. In all cases, the SGI acl and attr tools are required; most Linux vendors provide these as well.

Filesystem ACLs are extremely handy in that they allow you to extend access controls to files and directories beyond the simple user/group/other ownership. With extended ACLs, you can assign multiple users, rather than just one, as owners to a certain file.

If the filesystem is XFS, no special steps are required to enable ACL support. If the filesystem is ext2 or ext3, the filesystem will need to be mounted with the "acl" option. This can be done by editing /etc/fstab and changing something like:

/dev/md1 / ext3 defaults 1 1


/dev/md1 / ext3 rw,acl 1 1

Next, you need to remount the filesystem, which can be done either with a reboot or by executing:

# mount -v -o remount /

This will remount the filesystem with the new options specified. You may now begin to specify extended ACLs using the setfacl tool. For instance, suppose you had a file that you wanted to be writable by jim and jane, readable by frank, and not readable by anyone else. This isn't something that can easily be done with standard filesystem permissions. You can, however, accomplish this with setfacl:

# chmod 600 file
# setfacl -m u:jim:rw-,
# setfacl -m u:jane:rw file
# setfacl -m u:frank:r file

The first step sets the permissions to 0600, or read/write by the owner, with no access to the group or "other". The second grants user jim read/write privileges; the third does the same for user jane. The last grants read privileges to frank only. To view the current ACLs on the file, use getfacl file which will produce output like:

# file: file
# owner: jim
# group: jim

Likewise, by using ls you can see if extended ACLs are active on a file:

# ls -al
-rw———-+ 1 jim jimĀ  993014 May 24 10:32 file

The + character at the end of the permissions string indicates the presence of extended ACLs.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!


Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks