Access Control Lists (ACLs) extend the standard UNIX(R) permission model in a POSIX(R).1e compatible way. This permits an administrator to take advantage of a more fine-grained permissions model.
GENERIC kernel provides
ACL support for UFS file
systems. Users who prefer to compile a custom kernel must
include the following option in their custom kernel
If this option is not compiled in, a warning message will be displayed when attempting to mount a file system with ACL support. ACLs rely on extended attributes which are natively supported in UFS2.
This chapter describes how to enable ACL support and provides some usage examples.
ACLs are enabled by the mount-time
acls, which may be added
/etc/fstab. The mount-time flag can
also be automatically set in a persistent manner using
tunefs(8) to modify a superblock ACLs
flag in the file system header. In general, it is preferred
to use the superblock flag for several reasons:
The superblock flag cannot be changed by a remount using
mount -uas it requires a complete
mount. This means that ACLs cannot be enabled on the root file system after boot. It also means that ACL support on a file system cannot be changed while the system is in use.
Setting the superblock flag causes the file system to always be mounted with ACLs enabled, even if there is not an
fstabentry or if the devices re-order. This prevents accidental mounting of the file system without ACL support.
It is desirable to discourage accidental mounting without ACLs enabled because nasty things can happen if ACLs are enabled, then disabled, then re-enabled without flushing the extended attributes. In general, once ACLs are enabled on a file system, they should not be disabled, as the resulting file protections may not be compatible with those intended by the users of the system, and re-enabling ACLs may re-attach the previous ACLs to files that have since had their permissions changed, resulting in unpredictable behavior.
File systems with ACLs enabled will
show a plus (
+) sign in their permission
drwx------ 2 robert robert 512 Dec 27 11:54 private drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1 drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2 drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3 drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html
In this example,
directory3 are all taking advantage of
public_html is not.
File system ACLs can be viewed using
getfacl. For instance, to view the
ACL settings on
getfacl test#file:test #owner:1001 #group:1001 user::rw- group::r-- other::r--
To change the ACL settings on this
setfacl. To remove all of the
currently defined ACLs from a file or file
-k. However, the preferred
method is to use
-b as it leaves the basic
fields required for ACLs to work.
setfacl -k test
To modify the default ACL entries, use
setfacl -m u:trhodes:rwx,group:web:r--,o::--- test
In this example, there were no pre-defined entries, as they were removed by the previous command. This command restores the default options and assigns the options listed. If a user or group is added which does not exist on the system, an Invalid argument error will be displayed.