Skip to main content

ACL - Linux

Access Control List

  • Directory has default ACL, default ACL is applied to the file and directory created in that directory
  • default 允許為目錄設定預設的 ACL 權限。當一個目錄設定了 default ACL 後,新建的檔案和子目錄會繼承該目錄的 default ACL
  • Only root can set owner / group, owner cannot set the owner of file / directory
  • Only owner / root can change permission, user in group cannot change permission

ACL order

Ref: POSIX Access Control Lists on Linux

First matched entry is used

  • owner
  • named users
  • (owning or named) groups
  • others

Group ACL entry

  • Group entry is not using the first matched, each matched group entry is checked
  • If any matched group entry is allow, the request is allow.

Example

admin is in groups admin and user

id admin
uid=1000(admin) gid=1000(admin) groups=1000(admin),1001(user)

user is in group user

id user
uid=1001(user) gid=1001(user) groups=1001(user)
getfacl file
# file: file
# owner: root
# group: root
user::rw-
group::r--
group:user:---
group:admin:r--
mask::r--
other::---
getfacl first
# file: first
# owner: root
# group: root
user::rw-
group::r--
user:admin:---
group:user:---
group:admin:r--
mask::r--
other::---
Usercat filecat first
adminallowdeny
userdenydeny

admin read file is allow

getfacl file
...
group:user:---
group:admin:r--
mask::r--

user admin is allow to access file:

  • allow access if any group of the process is granted permission
  • even group user is deny

admin read first is deny

getfacl first
...
user:admin:---
group:user:---
group:admin:r--
mask::r--

user admin is deny to access first:

  • first matched named user ACL is used
  • even group admin is allow access

Mask

Ref: ACL Mask Value in Linux

Ref: man setfacl

  • Masks are the highest permission allowed for user / group
  • setfacl auto create mask entry (union all ACL entries) by default, unless option -n is set
  • Masks only apply to extended ACL (setfacl), not apply to minimal ACL
pseudo code
function effective_permission(mask, acl_entry) {
    return mask & acl_entry;
}

function is_granted(user, operation, file_acl) {
  return 
    operation & 
    effective_permission(
      file_acl.mask,
      matched_entry(user, file_acl)
    )
    > 0;
}