Get started Bring yourself up to speed with our introductory content.

Handing out permissions en masse with Linux ACL settings

Setting permissions one by one will eat up an administrator's time. Control permissions better with Linux ACLs.

Not many Linux administrators know how to really apply an access control list (ACL) on a file system to enhance permissions. It's time for that to change.

In the basic Linux permission scheme, permissions are assigned to the owner of a file, the group owner of a file, and everyone else. Every file -- and directory -- on the Linux system has one user owner and one group owner. A Linux administrator can call up the list of current owners and the permissions assigned to them with the ls -l command (see listing 1).

Listing 1: Displaying current permission assignments in a Linux system

Sanders-computer:~ sandervanvugt$$ ls -l

total 24

drwx------+ 13 sandervanvugt staff  442 Oct 20 20:17 Desktop

drwx------+ 103 sandervanvugt staff 3502 Oct 21 08:37 Documents

drwx------+ 289 sandervanvugt staff 9826 Oct 21 10:05 Downloads

drwx------@ 51 sandervanvugt staff 1734 Sep 22 16:31 Library

drwx------+ 29 sandervanvugt staff  986 Oct 9 07:59 Movies

drwx------+  5 sandervanvugt staff  170 May 21 23:19 Music

drwx------+ 24 sandervanvugt staff  816 Sep 19 22:21 Pictures

drwxr-xr-x+  4 sandervanvugt staff  136 Apr 12 2013 Public

drwxr-xr-x  3 sandervanvugt staff  102 Sep 22 16:31 Samsung

-rwxr-xr-x  1 sandervanvugt staff  324 Sep 23 11:51 bart1

-rw-r--r--  1 sandervanvugt staff  148 Aug 14 13:12 rekenprogrammaLOG

-rwxr-xr-x  1 sandervanvugt staff  607 Jul 3 16:59 script3

The default Linux permission scheme works fine if there is just one owner or one group needed on a file.

However, if you need to give one group of users full control of a file, another group only needs to read the file, and others aren't allowed to even access the file, then the default permissions can't help you -- but Linux ACLs can.

A Linux ACL assigns trustees to a file, allowing multiple users and multiple groups to have permissions. You can also set default access control lists, which apply default permissions to any new items created in a directory.

The setfacl command sets permissions using an ACL. The Linux system will display current ACL assignments via the getfacl command (see listing 2).

Applying permissions is straightforward. If, for example, a Linux administrator wants to give members of the organization's sales group access to all files in the directory /groups/account, they would use: setfacl -R -m g:sales:rx /groups/account.

In this command, the option -R is used to apply the ACL recursively to all existing items in the directory /groups/account. The -m option is used to modify the ACL, followed by g for group, then the name of the group and the permissions being assigned.

Listing 2. How to show a Linux ACL's permissions with getfacl

[root@tls groups]# getfacl account/

# file: account/

# owner: root

# group: account






Don't worry if a mask appears as a result of the getfacl command; it is modified automatically.

The default Linux ACL

A Linux ACL command sets permissions on current files, but it doesn't do anything on new files automatically. Typically, if an administrator applies an ACL to a directory, they also want that ACL to apply to all new files created in that directory. This is the prerogative of default ACLs.

Adding a default ACL is as simple as repeating the previous setfacl command with the d option added. To assign the permissions to all new files in that directory, deploy the following command as well:

setfacl -m d:g:sales:rx /groups/account

You can also use getfacl to check current default ACL settings for a directory, as shown in listing 3.

Listing 3. Checking default Linux ACL assignments

[root@tls groups]# getfacl account/

# file: account/

# owner: root

# group: account











Once a default ACL is set, the new permissions will be applied to all items that are created in that directory.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.