Jean Zay: File access management, ACLs

Unix permissions

Unix permissions allow giving different access rights in read, write and/or execution to each of the following:

  • The file owner
  • Users belonging to the same Unix group as the file owner
  • All the other users

The Unix permissions may be modified by simply using the chmod command (for more information, see man chmod). Most of the time, the Unix permissions are sufficient. However, by using the ACLs (Access Control Lists), you can control the access to your data more precisely: for example, by giving access to only one user (no matter from which group).

The ACLs

If you wish to give access rights to a particular user and/or group, you can define an ACL (Access Control List) for the chosen file or directory via the setfacl command. The general syntax is as follows:

$ setfacl ACL_OPTIONS directory

The ACL_OPTIONS can have one of the following forms:

  • To create or replace an existing ACL:
    --set=u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
  • To modify an existing ACL:
    -m u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
  • To delete an existing ACL:
    -b

For more information, type the man setfacl command.

Important comments:

  • When you set ACL rights on a directory (for example $WORK/sub_dir/shared_dir) or on a file, you must also set ACL rights allowing access to each of the directories that make up the path to this directory (for this example $WORK and sub_dir). Otherwise, access will be denied.
  • The rwx rights have the same meaning as the classic Unix rwx permissions.
  • A syntactically valid ACL must contain at least the following three fields, separated by commas:
    • A field beginning with u (for user) without mentioning the login: This corresponds to the rights given to the file or directory owner. For a directory (or an executable file), we advise you to position:
      u::rwx
      and for a file:
      u::rw
    • A field beginning with g (for group) without mentioning a group. This corresponds to the rights given to the file owner's group:
      g::[r|-][w|-][x|-]
    • A field beginning with o (for other) without any mention. This corresponds to the rights given to users who are not mentioned in fields u and g :
      o::[r|-][w|-][x|-].

Using the setfacl command with only these three fields gives the same rights as the Unix chmod command and, therefore, has little interest.
For example, the following setfacl command gives all the rights to the owner (u::rwx) of my_directory and allows members of the owner's group (g::r-x) to consult the directory contents in read mode only:

$ setfacl --set=u::rwx,g::r-x,o::--- my_directory

Caution: All access to subdirectories and files contained in my_directory remains controlled by Unix permissions.

To enlarge the access rights, it is necessary to add at least one of the first two following fields (u, g) to the three fields listed above and imperatively add the last field (m):

  • A u field with mention of the login, corresponding to the rights given to a particular user (here: login):
    u:login:[r|-][w|-][x|-]
  • A g field with mention of the group, corresponding to the rights attributed to all members of the specified group (here: group):
    g:group:[r|-][w|-][x|-]
  • It is obligatory to also have the field beginning with m (as in mask) which defines the maximum (or “effectives”) rights for users concerned by the u:login:… and/or g:group:… fields. It is advised to give the highest level of rights to the mask (m::rwx) so as not to restrict the rights given to a login and/or to a group.

For more information, see section Dependencies between ACL and Unix permissions. You will find setfacl command usage examples in the following two sections: Adding a particular user to an ACL and Adding a particular group to an ACL.

Viewing the ACLs

The getfacl command provides a detailed display of the ACLs attached to a directory or a file (for more information, see man getfacl):

$ getfacl directory

Note : The -l option of the ls command will display the classic Unix permissions. You can also see if the ACLs are set which is indicated by a + sign just after the Unix permissions.

$ ls -ld directory_with_acl directory_without_acl
drwxr-x---+ 2 login1 grp  8192 2014-03-29 11:00 directory_with_acl
drwxr-x---  2 login1 grp  8192 2014-03-29 11:00 directory_without_acl
 
$ ls -l file_with_acl file_without_acl
-rwx------+ 2 login1 grp  8192 2014-03-29 11:00 file_with_acl
-rwx------  2 login1 grp  8192 2014-03-29 11:00 file_without_acl

Adding a specific user to an ACL

If login1 user wants to give read and write permissions to login2 for accessing DIR_login1, for example, login1 must use the setfacl command as follows:

[login1@hostname:~]$ cd $DIR_login1
[login1@hostname:~]$ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx .

login1 can check the ACL rights by using the getfacl command:

[login1@hostname:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
user:login2:rwx
group::r-x
mask::rwx
other::---

Comments:

  • With the obligatory field u::rwx, the login1 owner has rwx permissions on DIR_login1. Be careful, without these permissions, the DIR_login1 can no longer be accessed by the owner: It is blocked by the ACLs even if the Unix permissions were set.
  • With the obligatory field g::r-x, users belonging to the owner's group (grp) have r-x rights: They can, therefore, go through the directory and see its contents but they cannot write in it.
  • With the obligatory field o::---, no other user has any rights for this directory.
  • With the field u:login2:rwx specified, login1 adds rwx permissions for only the login2 user who can, therefore, read and write in DIR_login1.
  • Do not forget the mask field (m::rwx): If it is empty (m::---), the u:login2:rwx field will be inoperative.

IMPORTANT :

  • You should not use the full path name of your HOME as this would set the ACLs both on your HOME itself and also on all the directories and files contained in it. Therefore, you must avoid the following type of command:
    $ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx /full/path/to/home
  • An ACL on your HOME directory, implying write permissions for another user, makes the SSH key authentication mechanism inoperative (an SSH connection would then require the password). For the SSH keys to function, you must verify that you have the “maximum” Unix permissions on the HOME (no write permissions except for the owner), as shown below:
    $ ls -ld ~
    drwxr-xr-x+ 9 login grp 4096 Apr 13 09:42 /full/path/to/home

    If needed, the procedure for making your SSH key operative again consists of first activating the ACLs and then changing the Unix permissions to your HOME by using the chmod 750 ~ command. This avoids giving access in write to everyone:

    $ cd $HOME
    $ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx .
    $ chmod 750 ~

Adding a specific group to an ACL

If login1 wants to give specific permissions to a ccc group to access DIR_login1, for example, login1 needs to use the setfacl command as shown below:

[login1@hostname:~]$ cd $DIR_login1
[login1@hostname:~]$ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .

Next, the ACL rights can be verified by using the getfacl command:

[login1@hostname:~]$ getfacl.
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ccc:r-x
mask::rwx
other::---

Comments:

  • With the obligatory field u::rwx, the login1 owner has rwx rights on DIR_login1. Be careful, without these rights, the directory can no longer be accessed by the owner: It is blocked by the ACLs even if the Unix permissions were set.
  • With the obligatory field g::r-x, the users belonging to the owner's group (grp) have r-x rights: Therefore, they can go through the directory and see its contents but cannot write in it.
  • With the obligatory field o::---, no other user has any rights to this directory.
  • With the g:ccc:r-x field, login1 adds r-x permissions for the users belonging to the ccc group: The ccc members are then able to go through the directory and see its contents but not write in it.
  • Do not forget the mask field (m::rwx): If it is empty (m::---), the :ccc:r-x field is inoperative.

IMPORTANT :

  • You should not use the full path name of your HOME as this would not only set the ACLs on your HOME itself but also on all the directories and files contained in it. Therefore, you must avoid the following type of command:
    $ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx /full/path/to/home
  • An ACL on your HOME directory, implying write permissions for another user, makes the SSH key authentication mechanism inoperative (an SSH connection would then require the password). For the SSH keys to function, you must verify that you have the “maximum” Unix permissions on the HOME (no write permissions except for the owner), as shown below:
    $ ls -ld ~
    drwxr-xr-x+ 9 login grp 4096 Apr 13 09:42 /full/path/to/home

    If needed, the procedure for making your SSH key operative again consists of first activating the ACLs and then changing the Unix permissions to your HOME by using the chmod 750 ~ command. This avoids giving access in write to everyone:

    $ cd $HOME
    $ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .
    $ chmod 750 ~

Updating ACLs

To modify an ACL, you can use the setfacl command with either:

  • The --set=... option: The existing ACLs will be overwritten. In this case, you must always specify the u::rwx, g::..., o::--- fields and not forget the mask (m::rwx) to be sure that the ACLs set for the specified login(s) and/or group(s) will actually be effective.
  • or, the -m ... option: The existing ACLs will be modified (but not overwritten).

In the following example, the ACLs were initially set on MY_DIR for the ccc Unix group via the --set=... option. This requires specifying each field:

$ cd $MY_DIR
$ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .
$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ccc:r-x
mask::rwx
other::---

This ACL can then be modified via the --set=... option, replacing the ccc group with the ddd group. However, this requires specifying each field again:

$ cd MY_DIR
$ setfacl --set=u::rwx,g::r-x,g:ddd:r-x,o::---,m::rwx .
$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ddd:r-x
mask::rwx
other::---

In the following case, the ACLS are modified via the -m option to add a second group (bbb). Here, the other fields do not need to be specified again:

$ cd MY_DIR
$ setfacl -m g:bbb:r-x .
$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:bbb:r-x
group:ddd:r-x
mask::rwx
other::---

Deleting ACLs

To delete an ACL, you can use the setfacl command with option-b:

$ cd MY_DIR
$ ls -ld .
drwxr-x---+ 2 login1 grp  8192 2014-03-29 11:00 .
$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ccc:r-x
mask::rwx
other::---
 
$ setfacl -b .
$ ls -ld .
drwxr-x---  2 login1 grp  8192 2014-03-29 11:00 .
$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
other::---

Advice for using ACLs

We advise you to place an ACL only on the root directory of a shared tree hierarchy in order to filter the access. Then set the Unix permissions for the files and sub-directories it contains by using the chmod command.

For example, the login1 account wants to share a file hierarchy contained in ROOT_TREE with the login3 account and the bbb Unix group:

[login1@hostname:~]$ cd ROOT_TREE
[login1@hostname:~]$ setfacl --set=u::rwx,u:login3:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx .
[login1@hostname:~]$ ls -l .
drwxrwx---+ 0 login1 grp 4096 2014-03-30 11:46 .
-rwxr-xrwx  0 login1 grp 1001 2014-03-30 11:46 file1
drwxrwxrwx  0 login1 grp 4096 2014-03-30 11:46 SUB_DIR
 
[login1@hostname:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
user:login3:rwx
group::r-x
group:bbb:r-x
mask::rwx
other::---

If we analyse these access rights, we can see that:

  • The ACL gives rwx access rights to login3 for the ROOT_TREE directory and rwx Unix permissions (field: other) for file1. Therefore, login3 can access file1 contained in login1's ROOT_TREE. Note, also due to the ACL rwx, login3 can create new files and directories in login1's ROOT_TREE. Furthermore, login3 can see and modify the contents of sub-directories (such as SUB_DIR) if authorised by the Unix permissions (field: other).
  • The owner group (grp) has r-x rights for the ROOT_TREE and r-x Unix permissions (field: group) for file1. As a result, the members of the group (grp) can go through the ROOT_TREE and read file1 but not write in (or modify) it. They also cannot create anything directly in login1's ROOT_TREE (ACL r-x). They can, however, see and modify the contents of sub-directories (such as SUB_DIR) if authorised by the Unix permissions (field: group).
  • Note that group bbb has r-x rights for the ROOT_TREE and rwx Unix permissions (field: other) for file1. Members of group bbb can, therefore, go through the ROOT_TREE and read or write in (including modify or overwrite) file1, which may not be a desired result. However, as with grp, they cannot create anything directly in login1's ROOT_TREE (ACL r-x). Nevertheless, they can see and modify the contents of sub-directories (such as SUB_DIR) if authorised by the Unix permissions (field: other).
  • To prevent group bbb from overwriting file1, you might think of deleting the Unix write permission in the “other” field by using the chmod 755 file1 command. However, this would also prevent login3 from modifying the file. Therefore, if you want to do this, you have to also set an ACL on file1:
    $ setfacl --set=u::rwx,u:login3:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx file1
    $ getfacl file1
    # file: file1
    # owner: login1
    # group: grp
    user::rwx
    user:login3:rwx
    group::r-x
    group:bbb:r-x
    mask::rwx
    other::---

Dependencies between ACLs and Unix permissions (for experienced users)

There are two types of access rights: the classic Unix permissions and the ACL rights. The setfacl command modifies the ACLs and also the Unix permissions. However, the chmod Unix command only modifies some ACL fields.

To understand this interdependence, it is necessary to explain the functionality of the mask field of an ACL (mask::...). In fact, the effective rights of users concerned by the user:login:..., group::... and group:bbb:... fields can be restricted by the rights in the mask.

Effect of ACLs on Unix permissions

As example, an ACL is set on the current directory (where you are) as indicated below:

$ setfacl --set=u::rwx,u:login3:rwx,g::rwx,g:bbb:rwx,o::---,m::r-x .
 
$ ls -ld .
drwxr-x---+ 0 login1 grp 4096 2014-03-30 16:28 .
 
$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx         # independent of the ACL mask
user:login3:rwx   # but r-x effective rights because of the ACL mask
group::rwx        # but r-x effective rights because of the ACL mask
group:bbb:rwx     # but r-x effective rights because of the ACL mask
mask::r-x         # ACL mask
other::---        # independent of the ACL mask

Comments about the ACL rights:

  • The login3 user, the members of the owner group (grp) and those of the bbb group, have r-x as their effective rights and not rwx as hoped because of the requested ACL mask (m::r-x). The setfacl command effectuates a bitwise logical AND operation between each field of ACL rights requested, u:login3:rwx, g::rwx, g:bbb:rwx, and the requested ACL mask, m::r-x.
  • However, the ACL mask does not apply when determining the user::rwx rights of the owner and the other::--- rights of users who are not concerned by the fields user:login3:rwx, group::rwx and group:bbb:rwx: It is the ACL rights requested via setfacl which apply here (u::rwx et o::---).

Comments about the Unix permissions:

  • The login1 owner of the directory has rwx permissions, corresponding to the ACL user::rwx field.
  • The group (grp) owner has r-x permissions, corresponding to the ACL mask::r-x which defines the maximum rights of users concerned by the fields user:login3:rwx, group::rwx and group:bbb:rwx.
  • Users who do not belong to the preceding categories have no permissions (---), corresponding to the ACL other::--- field.

Effect of Unix permissions on ACLs

Inversely, to better understand the effect of the Unix chmod command on the current directory (where you are working) where access is supposed to be determined by ACL, we start from the following situation:

$ setfacl --set=u::r-x,u:login3:rwx,g::---,g:bbb:r-x,o::---,m::--- .
 
$ ls -ld .
dr-x------+ 15 login1 grp 4096 2014-03-30 16:28 .
 
$ getfacl .
# file: .
# owner: login1
# group: grp
user::r-x         # independent of the ACL mask
user:login3:rwx   # but --- effective rights because of the ACL mask
group::---        # --- effective rights as requested via setfacl (g::---)
group:bbb:r-x     # but --- effective rights because of the ACL mask
mask::---         # ACL mask empty
other::---        # independent of the ACL mask

Comments:

  • You can see that the effective rights are empty (because the ACL mask is empty): The login3 user and the bbb group, therefore, have no rights to the directory despite the requested ACL fields (u:login3:rwx and g:bbb:r-x).
  • The Unix permissions indicated by the ls -ld . command confirm that only the owner can access the directory.

Next, we observe that the Unix chmod command modifies the ACLs according to the options used:

  • chmod u+rwx modifies the ACL user::... field:
    $ chmod u+w .
     
    $ ls -ld .
    drwx------+ 15 login1 grp 4096 2014-03-30 16:28 .
     
    $ getfacl .
    # file: .
    # owner: login1
     # group: grp
    user::rwx         # independent of the ACL mask but modified by chmod u+...
    user:login3:rwx   # but effective rights --- because of the ACL mask
    group::---        # effective rights --- as initially requested via setfacl (g::---)
    group:bbb:r-x     # but effective rights --- because of the ACL mask
    mask::---         # ACL mask empty
    other::---
  • chmod g+rwx modifies the ACL mask::... field but not the ACL group::... field. However, as the mask influences the effective rights of the ACL group::..., group:bbb:rwx and user:login3:rwx fields, the login3 user and the bbb group obtain their initially requested rights for each respective field with the initial setfacl command (u:login3:rwx and g:bbb:r-x) :
    $ chmod g+rwx .
     
    $ ls -ld .
    drwxrwx---+ 15 login1 grp 4096 2014-03-30 16:28 .
     
    $ getfacl .
    # file: .
    # owner: login1
    # group: grp
    user::rwx
    user:login3:rwx   # and rwx effective rights because of the modified ACL mask
    group::---        # not modified by chmod g+... !
    group:bbb:r-x     # and r-x effective rights because of the modified ACL mask
    mask::rwx         # ACL mask modified by chmod g+...
    other::---

    Comment: The rights of the ACL group::... field can only be modified by the setfacl command:

    $ setfacl -m g::r-x .
     
    $ ls -ld .
    drwxrwx---+ 15 login1 grp 4096 2014-03-30 16:29 .
     
    $ getfacl .
    # file: .
    # owner: login1
    # group: grp
    user::rwx
    user:login3:rwx
    group::r-x        # only modifiable by setfacl !
    group:bbb:r-x
    mask::rwx
    other::---
  • The chmod o+rx command modifies the ACL other::... field:
    $ chmod o+rx .
     
    $ ls -ld .
    drwxrwxr-x+ 15 login1 grp 4096 2014-03-30 16:29 .
     
    $ getfacl .
    # file: .
    # owner: login1
    # group: grp
    user::rwx
    user:login3:rwx
    group::r-x
    group:bbb:r-x
    mask::rwx
    other::r-x         # modified by chmod o+...