DEV Community

Cover image for Access Control List - ACL
Rodrigo Vieira
Rodrigo Vieira

Posted on

3 2

Access Control List - ACL

To improve the well known Linux permission schema ugo/rwx, allowing us to set distinct permission for different individual users or groups we can leverage the Access Control List - ACL.

Requirements

The filesystem where the files you want to set ACL are stored must be mounted with ACL support. You can check that by running:

mount /dev/xvda1 | grep attr
/dev/xvda1 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

We can see the attr2 which indicates that this filesystem supports extended attributes - ACLs. If you don't see that option for your filesystem or if you see the noacl, you can fix it in /etc/fstab adding or removing the appropriated options, and remounting the filesystem:

mount /dev/xvda1 -o remount

You can't remount the root / filesystem. You have to reboot your machine to get new options enabled.

Using ACLs

Imagine that we have these two groups and 5 users:

  • devs: euler, colleen, eric
  • ops: rodrigo, jonas

And we have a project folder that devs have full acess to it:

groupadd dev
groupadd ops
useradd euler
useradd colleen
useradd rodrigo
useradd jonas
usermod -aG devs euler
usermod -aG devs colleen
usermod -aG devs eric
usermod -aG ops rodrigo
usermod -aG ops jonas

mkdir /var/projectX
touch /var/projectX/main.py

chown -R euler.devs /var/projectX
chmod -R 770  /var/projectX

But what if we want to grant write access to a user that is not in devs group?
We could create a new group that includes all necessary users, but it would get messy fast.

With ACLs we can grant individual users access to files and directories. Hence, to add write permission for jonas to main.py file:

setfacl -m u:jonas:rw /var/projectX/main.py
setfacl -m u:jonas:rx /var/projectX

Ok, jonas now has access to read and to enter in /var/projectX folder and also to write to main.py.

We can check for ACLs on a file by running getfacl command:


getfacl /var/projectX/main.py

getfacl: Removing leading '/' from absolute path names
# file: var/projectX/main.py
# owner: euler
# group: dev
user::rwx
user:jonas:rw-
group::rwx
mask::rwx
other::---

We can remove the above ACLs replacing -m for -x, or using -b to remove all ACLs from a file or directory:

setfacl -b /var/projectX

I hope you've learned a litte bit about Linux ACLs, you can learn more at Setting Access ACLs.

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay