SH
SHELL
AI Powered Learning Portal
Beyond rwx: Advanced Permissions and ACLs
·TechSoftware Development

Beyond rwx: Advanced Permissions and ACLs

Break free from the limitations of simple User/Group/Other permissions. Learn to use Access Control Lists (ACLs) to grant granular access to multiple users and groups on a single file. Master 'setfacl' and 'getfacl'.

linuxsecurityaclgetfaclsetfaclpermissionssysadmin

Advanced Permissions and ACLs: Granular Control

As we learned in Module 4, standard Linux permissions are based on the User-Group-Other model. This is simple and fast, but it has a major limitation: what if you need to give Read/Write access to two specific users who are in different groups?

In the standard model, you only have one "Group" slot. If you use it for Alice's team, you can't use it for Bob's team.

The solution is Access Control Lists (ACLs). ACLs allow you to attach a list of specific permissions to a file, granting unique rights to an unlimited number of users and groups.

1. The Limitation of Standard Permissions

Imagine a project file: budget.xlsx.

  • Owner: finance_mgr (r/w)
  • Group: accounting (r)
  • Problem: You need to give the CEO (user:mark) Read/Write access, but he is not in the accounting group and you don't want to make the file "World Writable."

With standard permissions, this is impossible. With ACLs, it's one command.

2. Reading ACLs: getfacl

To see a file's ACL, we use getfacl (Get File Access Control List).

getfacl budget.xlsx

How to spot a file with an ACL:

In an ls -l output, a file with an ACL will have a plus sign (+) at the end of the permission string.

-rw-r-xr--+ 1 finance_mgr accounting ... budget.xlsx

3. Setting ACLs: setfacl

The setfacl command allows you to add or modify permissions. The syntax uses m for modify.

Granting User Access:

# Give user 'alice' Read/Write (rw-) access to 'file.txt'
setfacl -m u:alice:rw- file.txt

Granting Group Access:

# Give the 'developers' group Read (r--) access
setfacl -m g:developers:r-- file.txt

Removing an ACL:

# Remove all ACLs and return to standard permissions
setfacl -b file.txt

4. Default ACLs (The "Inheritance" Trick)

One of the most powerful features of ACLs is the Default ACL. If you set a default ACL on a folder, every new file created inside that folder will automatically inherit those permissions.

# Any new file created in /projects/shared will be readable by 'audit_user'
setfacl -m d:u:audit_user:r /projects/shared

5. Practical: Managing a Shared Team Folder

Here is the professional workflow for setting up a cross-functional project directory:

# 1. Create the dir
mkdir /projects/nexus

# 2. Give the lead developer full access via standard ownership
sudo chown lead_dev:dev_team /projects/nexus
chmod 770 /projects/nexus

# 3. Give the separate 'marketing' user read access via ACL
setfacl -m u:marketing_user:rx /projects/nexus

# 4. Verify the new access
getfacl /projects/nexus

6. Example: An ACL Integrity Checker (Python)

If you are managing a high-security server, you need to know exactly who has "invisible" permissions via ACLs. Here is a Python script that scans a directory and lists all files that have non-standard Access Control Lists.

import subprocess
import os

def check_for_acls(directory):
    """
    Scans a directory using 'getfacl' to find non-standard permissions.
    """
    acl_files = []
    
    for root, dirs, files in os.walk(directory):
        for name in files:
            path = os.path.join(root, name)
            
            try:
                # Run getfacl and check for extra user entries
                result = subprocess.run(['getfacl', '-c', '-p', path], 
                                     capture_output=True, text=True)
                
                # If the output contains more than user::, group::, other::
                lines = result.stdout.strip().split('\n')
                # A standard file has 3 lines of ACL info plus comments
                if len(lines) > 3:
                    acl_files.append(path)
            except:
                continue
                
    return acl_files

if __name__ == "__main__":
    target = "/home/sudeep/shared"
    print(f"Auditing ACLs in {target}...")
    
    found = check_for_acls(target)
    if found:
        print(f"Found {len(found)} files with extended ACLs:")
        for f in found: print(f"  [+] {f}")
    else:
        print("No advanced ACLs detected.")

7. The ACL Mask: The "Kill Switch"

ACLs have a special entry called the Mask. The Mask defines the maximum permissions any ACL user (except the owner) can have. Even if you give Alice rwx in the ACL, if the mask is set to r--, Alice can only read the file.

This is a powerful "Master Switch" for locking down a folder's extra permissions.

8. Summary

ACLs provide the precision that the standard Linux model lacks.

  • Use getfacl to see the full list of stakeholders.
  • Use setfacl -m to add specific users or groups.
  • Use Default ACLs (d:) for folder inheritance.
  • Always check for the + symbol in ls -l to know when ACLs are at play.

In the next lesson, we will explore the most mysterious part of Linux security: Special Permissions (SUID, SGID, and the Sticky Bit).

Quiz Questions

  1. How can you tell if a file has an ACL just by looking at the output of ls -l?
  2. What happens if you run setfacl -b on a file?
  3. What is the benefit of a "Default ACL" on a directory?

Continue to Lesson 5: Special Permissions—SUID, SGID, and the Sticky Bit.

Previous LessonThe Identity Database: /etc/passwd and /etc/shadow
Next LessonThe Trinity of Special Permissions: SUID, SGID, and the Sticky Bit

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn