Module – 7.3 User & Group Administration Access Control List (ACL)

What is Linux ACL ?

Working with permissions on Linux is rather a simple task. 
You can define permissions for users, groups or others. 
This works really well when you work on a desktop PC or a 
virtual Linux instance which typically doesn't have a lot of users, 
or when users don't share files among themselves. 
However, what if you are a big organization where you operate NFS 
or Samba servers for diverse users. 
Then you will need to be nitpicky and set up more complex 
configurations and permissions to meet the requirements of your 

Linux (and other Unixes, that are POSIX compliant) has so-called 
Access Control Lists (ACLs), which are a way to assign permissions 
beyond the common paradigm. For example, by default you apply 
three permission groups: owner, group, and others. 

With ACLs, you can add permissions for other users or groups that 
are not simple "others" or any other group that the owner is not 
part of it.

You can allow particular users A, B and C to have write permissions
without letting their whole group to have writing permission. 
ACLs are available for a variety of Linux filesystems including 
EXT2, EXT3, EXT4, XFS  etc. If you are not sure if the filesystem 
you are using supports ACLs, just read the documentation.

Okay…Lets move on to lab:

Step:1 Install ACL package

# yum -y install acl

Step:2 Enable ACLs on your File system

# mount -t ext4 -o acl /dev/VolGroup00/LogVol02 /work

Step:3 Update /etc/fstab

LABEL=/work      /work       ext4    acl        1 2

Step:4 Set access ACL for user

setfacl -m u:senthil:rw /part1

Step:5 Check the ACL status

getfacl  /part1

Step:6 To remove the ACL for specific user

setfacl -x u:senthil:rw /part1


More to understand…

An access ACL is the access control list for a specific file or directory.
A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.


ACLs can be configured:

  1. Per user
  2. Per group
  3. Via the effective rights mask
  4. For users not in the user group for the file

The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:

setfacl -m <rules> <files>

Rules (<rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.

Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.
Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
Sets the access ACL for users other than the ones in the group for the file.

White space is ignored. Permissions (<perms>) must be a combination of the characters r, w, and x for read, write, and execute.

If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.


Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>