Traditional Linux access permissions for files and directories consist of setting a combination of read, write, and execute permissions for the owner of the file or directory, a member of the group the file or directory is associated with, and everyone else (other). Access control lists (ACLs) provide a finer-grained access control mechanism than these traditional Linux access permissions.


Installing ACL


Before using ACLs for a file or directory, install the acl package:

# yum install acl


Configuring ACL on a file system


The file system containing the file or directory must also be mounted with ACL support. The following is the syntax to mount a local ext3 file system with ACL support:

# mount -t ext3 -o acl [device-name] [mount-point]


For example:

# mount -t ext3 -o acl /dev/mapper/VolGroup00-LogVol00 /data


If the partition is listed in the /etc/fstab file, include the acl option:

# vi /etc/fstab
LABEL=/data    /data    ext3    acl     0    0


ACL Rules


An ACL consists of a set of rules that specify how a user or group can access the file or directory the ACL is associated with. There are two types of ACL rules:

  • access ACLs: Specify access information for a single file or directory
  • default ACLs: Pertain to a directory only. It specifies default access information for any file within the directory that does not have an access ACL.


Display ACLs on files


Use the getfacl utility to display a file’s ACL. When a file does not have an ACL, it displays the same information as ‘ls –l’, although in a different format. For example, the file test does not have an ACL:

# ls –l test
-rw-rw-r-- 1 oracle oracle 25 Mar 5 10:10 test


Sample getfacl output of the test file:

# getfacl test 
# file: test
# owner: oracle 
# group: oracle 


Configuring ACLs on Files


Use the setfacl utility to add or modify one or more rules in a file’s ACL. The syntax is:


# setfacl -m [rules] [files]

The rules are in the following form:


  • u:name:permissions: Sets the access ACL for a user (username or UID)
  • g:name:permissions: Sets the access ACL for the group (group name or GID)
  • m:permissions: Sets the effective rights mask. This is the union of all permissions of the owning group and all of the user and group entries.
  • o:permissions: Sets the access ACL for everyone else (others)


The permissions are the traditional r, w, and x for read, write, and execute, respectively. The following example adds a rule to the ACL for the test file that gives the oracle user read and write permission to that file:

# yum install acl


The output of getfacl includes the ACL rule:

# yum install acl


When a file has an ACL, ‘ls –l’ displays a plus sign (+) following the permissions:

# yum install acl


Removing ACLs of Files


Use the –x option without specifying any permissions to remove rules for a user or group.

# setfacl –x u:oracle test


To remove the ACL itself, use the -b option:

# setfacl –b test


Setting the Default ACLs


To set a default ACL, add d: before the rule and specify a directory instead of a file name:

# setfacl -m d:o:rx /share


Was this answer helpful? 0 Users Found This Useful (0 Votes)