To improve the well known Linux permission schema ugo
/rwx
, allowing us to set distinct permission for different individual users or groups we can leverage the Access Control List - ACL.
Requirements
The filesystem where the files you want to set ACL are stored must be mounted with ACL support. You can check that by running:
mount /dev/xvda1 | grep attr
/dev/xvda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
We can see the attr2
which indicates that this filesystem supports extended attributes - ACLs. If you don't see that option for your filesystem or if you see the noacl
, you can fix it in /etc/fstab
adding or removing the appropriated options, and remounting the filesystem:
mount /dev/xvda1 -o remount
You can't remount the root
/
filesystem. You have to reboot your machine to get new options enabled.
Using ACLs
Imagine that we have these two groups and 5 users:
-
devs
:euler
,colleen
,eric
-
ops
:rodrigo
,jonas
And we have a project folder that devs
have full acess to it:
groupadd dev
groupadd ops
useradd euler
useradd colleen
useradd rodrigo
useradd jonas
usermod -aG devs euler
usermod -aG devs colleen
usermod -aG devs eric
usermod -aG ops rodrigo
usermod -aG ops jonas
mkdir /var/projectX
touch /var/projectX/main.py
chown -R euler.devs /var/projectX
chmod -R 770 /var/projectX
But what if we want to grant write access to a user that is not in devs
group?
We could create a new group that includes all necessary users, but it would get messy fast.
With ACLs we can grant individual users access to files and directories. Hence, to add write permission for jonas to main.py
file:
setfacl -m u:jonas:rw /var/projectX/main.py
setfacl -m u:jonas:rx /var/projectX
Ok, jonas
now has access to read and to enter in /var/projectX
folder and also to write to main.py
.
We can check for ACLs on a file by running getfacl
command:
getfacl /var/projectX/main.py
getfacl: Removing leading '/' from absolute path names
# file: var/projectX/main.py
# owner: euler
# group: dev
user::rwx
user:jonas:rw-
group::rwx
mask::rwx
other::---
We can remove the above ACLs replacing -m
for -x
, or using -b
to remove all ACLs from a file or directory:
setfacl -b /var/projectX
I hope you've learned a litte bit about Linux ACLs, you can learn more at Setting Access ACLs.
Top comments (0)