Filesystem Security: Access Control Lists

Vincent Danen

February 25, 2011

There are a number of Linux filesystems have support for Access Control Lists (ACLs) beyond just simple ownership and permissions restrictions to files. These file systems include XFS, ext2, ext3, ext4, and btrfs. This ACL support allows you to fine-tune permissions on your Linux system.

There are four different ACL entry formats that can be used with the setfacl tool (comes in SGI's acl package):

  • [d[efault]:][u[ser]:]uid[:perms] - Permissions of a named user. Permissions of the file owner if uid is empty.
  • [d[efault]:]g[roup]:gid[:perms] - Permissions of a named group. Permissions of the owning group if gid is empty.
  • [d[efault]:]m[ask][:][:perms] - Effective rights mask.
  • [d[efault]:]o[ther][:][:perms] - Permissions of others.

A few examples are in order. Assume you have a file named file that is owned by the user joe and group joe and is mode 640; only the user joe has access to read and write to the file. However, assume you would like user frank to have read access to the file, without reducing the default permissions of the file, you would use:

# setfacl -m u:frank:r file

Where this really comes in handy is for the execution of certain files. Assuming you have an allergy to sudo and prefer using su directly, you could change the permissions of su from 4755 to 4700. This would only allow root to execute su (and keep the suid bit). You could then set ACLs like this:

# setfacl -m u:joe:rx /bin/su

Now, if anyone other than root or joe try executing su, they will get "permission denied". If user joe, however, executes su, he will be able to use it as he normally would.

You can view the ACLs for any file using the getfacl tool. The chacl tool allows you to change the ACLs associated with any file.