ACLs, or Access Control Lists, are available for a variety of
Linux filesystems including ext2, ext3, and XFS. With XFS, ACL support is available
pretty much “out of the box” and with ext2/ext3,
it’s available via a kernel patch that most Linux vendors have applied to the
binary kernels they provide. In all cases, the SGI acl and attr tools are required;
most Linux vendors provide these as well.

Filesystem ACLs are extremely handy in that they allow you to
extend access controls to files and directories beyond the simple
user/group/other ownership. With extended ACLs, you can assign multiple users,
rather than just one, as owners to a certain file.

If the filesystem is XFS, no special steps are required to
enable ACL support. If the filesystem is ext2 or ext3, the filesystem will need
to be mounted with the “acl” option. This can be done by editing
/etc/fstab and changing something like:

/dev/md1 / ext3 defaults 1 1


/dev/md1 / ext3 rw,acl 1 1

Next, you need to remount the filesystem, which can be done
either with a reboot or by executing:

# mount -v -o remount /

This will remount the filesystem with the new options
specified. You may now begin to specify extended ACLs using the setfacl tool. For
instance, suppose you had a file that you wanted to be writable by jim and jane, readable by frank, and not readable by anyone else. This isn’t something that
can easily be done with standard filesystem permissions. You can, however,
accomplish this with setfacl:

# chmod 600 file
# setfacl -m u:jim:rw-,
# setfacl -m u:jane:rw file
# setfacl -m u:frank:r file

The first step sets the permissions to 0600, or read/write by
the owner, with no access to the group or “other”. The second grants
user jim
read/write privileges; the third does the same for user jane. The last grants read privileges to frank only. To view the current ACLs on the file, use getfacl file which will produce output

# file: file
# owner: jim
# group: jim

Likewise, by using ls you can see if extended ACLs are active
on a file:

# ls -al
-rw-------+ 1 jim jim  993014 May 24 10:32 file

The + character at the end of the permissions string indicates
the presence of extended ACLs.

Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!