In the last post, we looked at basic file permissions. The ideas covered in that post are probably enough to get you through a large portion of the real world scenario’s that you will encounter. There are some special cases, however. One of them being access control lists (ACL) which I will discuss in this post.

As we saw in part 1 every file on a Linux system has an owner and a group associated with it, each of which has separate permissions. But what if a user or group needed read permissions to a file that they do not own? You could modify permissions to allow all users access to a file with chmod o+r  but this is not ideal on a system with multiple users where data needs to be kept confidential. Instead of going this route, which is insecure, we can add a list of users, or groups, or both that have permissions to a file that are separate from the standard owner/group in basic POSIX permissions.

So let’s look at a simple example. Batman and the finance group need to be able to read and write a payroll document, Superman and Robin need to be able to write, but not read, the payroll document (we don’t want them to know that Batman makes more money than they do).

First, let’s set up our environment:

sudo useradd batman
sudo useradd superman
sudo useradd robin
sudo groupadd finance
sudo usermod -aG finance batman

Set a password for each user. I’m just going to use the username for each as the password to make it easy for this example. It should go without saying that this wouldn’t be an acceptable password policy for real world use.

    sudo passwd batman
    New password:
    BAD PASSWORD: it is based on a dictionary word
    BAD PASSWORD: is too simple

    sudo passwd superman
    New password:
    BAD PASSWORD: it is based on a dictionary word
    BAD PASSWORD: is too simple

    sudo passwd robin
    New password:
    BAD PASSWORD: it is based on a dictionary word
    BAD PASSWORD: is too simple

Switch to the user batman and create a file called jlpayroll.txt in the /tmp directory.

    su - batman
    cd /tmp
    newgrp finance
    touch jlpayroll.txt
    chmod 660 jlpayroll.txt
    ls -l jlpayroll.txt
    -rw-rw---- 1 batman finance 0 Feb  5 09:32 jlpayroll.txt

At this point, batman can read and write to the jlpayroll.txt file. Now add batman’s pay to this file.

    echo "Batman Week One: 2,000,000" >> jlpayroll.txt
Cat out the file to see what’s in it.
    cat jlpayroll.txt
    Batman Week One: 2,000,000

Now we need to add ACL’s to allow superman and robin to add their payroll information, while also ensuring that they can’t read the file. Batman can do that with the setfacl  command that he keeps in his utility belt.

    setfacl -m u:superman:w -m u:robin:w jlpayroll.txt

Take a look at this command for a minute. First, notice that you can add multiple users at the same time each separated by the -m option. In the setfacl command -m means modify.

Next, notice the format that is used to identify users. The setfacl command expects 3 values separated by colons:

type:name:permission - the type can be “u” for user or “g” for group, the name is the group or username, and the permissions are the standard read, write, and execute permissions that we looked at previously.

So how does this affect the way permissions are displayed?

ls -l jlpayroll.txt -rw-rw----+ 1 batman finance 27 Feb 5 09:43 jlpayroll.txt

The change is subtle but it’s there. Notice the "+" after "-rw-rw----" . That + sign indicates that permissions have been altered by access control lists.

How to display the ACL’s on a file.

Access control list’s can be displayed with the getfacl command.

    getfacl jlpayroll.txt
    # file: jlpayroll.txt
    # owner: batman
    # group: finance

The output here is a detailed look at exactly who has what level of access to this file. It lists the file name, owner, and group. Then each user and group have individual access level’s displayed.

Switch to the user superman and make sure he can write to the jlpayroll.txt file.

    su - superman
    cd /tmp
    uid=1007(superman) gid=100(users) groups=100(users)
    ls -l jlpayroll.txt
    -rw-rw----+ 1 batman finance 27 Feb  5 09:43 jlpayroll.txt

We can see that superman is not in the finance group and he is not the owner of this file. Normally he wouldn’t have any access to this file at all. But with the ACL we set up earlier he should be able to write to this file but not read it.

    cat jlpayroll.txt
    cat: jlpayroll.txt: Permission denied

As you can see superman cannot read the jlpayroll.txt file. Can he write to it?

    echo "Superman Week One: 400" >> jlpayroll.txt

As long as that command doesn’t return an error then it should’ve worked. Let’s do the same thing for robin

    su - robin
    cd /tmp
    echo "Robin Week One: 4,000" >> jlpayroll.txt

Since payroll is done for the week lets make sure that batman can see each entry. If you’ve been following along you can get back to batman using the exit command twice.

    cat jlpayroll.txt
    Batman Week One: 2,000,000
    Superman Week One: 400
    Robin Week One: 4,000

Access control lists allow an administrator to exercise fine-grained control over files and directories that would not be possible using only POSIX permissions. This was a pretty simple example but it should give you an idea about how ACL’s work, how to set them, and how to discover what ACL’s are set on a file.

When you are finished with this example make sure you clean up your system to get rid of the users and group we made at the beginning of the tutorial. Switch back to your normal user account with sudo privileges.

    sudo userdel batman
    sudo userdel superman
    sudo userdel robin
    sudo groupdel finance
    sudo rm /tmp/jlpayroll.txt

Related Posts

Working with files in Linux - Permissions

Over the next few posts I’ll be covering three basic elements of files in Linux: Permissions ACL’s (Access Control Lists) File Attributes The ls command Every file in Linux has three primary permissions settings (read, write, execute) that apply to three elements (owner, group, others). File permissions can be viewed on the command line using the ls command. [luke@testserver stuff]$ ls -l total 0 -rwxrw-r-x 1 luke admins 0 Jun 21 19:44 file1 Looking at the output from ls -l , from left to right we can break the output into several groups as shown below. Read more

School District finds cost savings and flexibility with Linux

Being a big proponent of Linux on the desktop I was excited to have the opportunity to talk with Aaron Prisk of the West Branch Area School District, who has recently helped migrate 80% of the school district’s infrastructure to Linux. When I first heard about the district’s move to Linux I wanted to find out as much as I could about his experiences during and after the migration. This is a great story about how Linux can be used by people of all ages and technical skill while still providing a low cost and secure platform for everyday operations. Read more

Backup a MySQL Database

If you have a MySQL database working behind the scenes on your web site or app then creating and storing backup’s of that database can be vitally important to the operation of your business operations. A MySQL or MariaDB database uses the mysqldump command to create backups. The mysqldump command outputs a file that contains SQL statements that can be used to rebuild your database, with all of its data. Which could come in handy in the event of an unrecoverable crash or even to just move the database to a new server. Read more


If you’d like to get in touch, contact with me via email.