A very useful feature in Linux is the “Access Control Lists” which controls access to files and directories. Here is how the access control lists work to control the file permissions in Linux.
Note: To thoroughly grasp how access control lists work, we’re first setting up some users and groups on a working Linux system. The following exercise is carried out on a virtual machine running Kali operating system. The root user has the power to add new users to the system and allot them to groups.
Creating users and groups
Firstly, we will log in as root, create users and put them in respective groups as shown in the table below. The users have been given simple names to help comprehend the concept better.
| User | Group |
|---|---|
| john1 john2 john3 |
johns |
| jane1 jane2 |
janes |
We will use the adduser command to add new users to the system.
The id command will display the details of the newly created user. It will show the user id (uid), group id (gid) and group name (groups). The user, upon creation, is automatically added to a group with the same name as the user name. That user would be the sole member of the group.
Likewise, users “john2” and “john3” are also created.
adduser john2 adduser john3
Once the three users have been created, use theid command to view the respective user and group ids.
We can see that the three users are in their own groups – 1000, 1001 and 1002. According to the table shown earlier, we want the three users to be in the same group: johns. Since such a group does not exist on the system currently, we will create it with the groupadd command:
groupadd -g <new_group_ID> <group_name>
The new group ID is specified as 5000. If the -g switch is ignored, then the system will automatically pick a group ID. The name of the new group is “johns.” Now the three users – “john1,” “john2” and “john3” – need to be added as members of this group. We will use the usermod command for this task.
usermod -g <group_name> <user_name>
usermod adds the user “user_name” to the group “group_name.” The following figure first displays the uid and gid for “john1” before group change. After the usermod command runs successfully, “john1” is added to the “johns” group with gid 5000.
The same process is done for users “john2” and “john3.”
usermod -g johns john2 usermod -g johns john3
Finally, details of the three users in the “johns” group can be viewed using id command.
We have successfully created three users and added them to the same group.
Similarly, users “jane1” and “jane2” are created and added to the “janes” group with gid 6000. Their details can be viewed using the id command as shown below.
What is the need for Access Control Lists?
Let’s assume user “john1” logs in,
creates a new file in the Home directory,
and adds some content to it.
Using thels command, we view the file’s metadata.
The first few characters in the output, - rw - r - - r - - account for the permission string. Let us dissect it.
| – | rw – | r – – | r – – |
|---|---|---|---|
| file type | permissions john1 has on the file | permissions members of johns group have on the file | permissions given to others not in johns group |
This article is a good primer on file permissions.
What if “john1,” being the file owner, wants to additionally give write permissions only to “john2” and “jane1” but persist with read permissions for “john3” and “jane2?”
| rw – | r – – |
|---|---|
| john1 john2 jane1 |
john3 jane2 |
One option would be to create a new group with read, write permissions for “john1,” “john2” and “jane1” and another group with only read permissions for “john3” and “jane2.” In case john1 wishes to modify permissions further for any group member, then more groups need to be created. Creating and managing multiple groups is a burden to the system administrator.
Instead, an “Access Control List” can be created for a file which would clearly state the operations any user can perform on that file.
How to Create an Access Control List (ACL) for a file?
Every file upon creation has an ACL assigned to it. Using it efficiently is simply a matter of modifying it. Only the file owner and root user can modify the ACL of a file.
We can use the getfacl command to view the existing ACL:
getfacl <file_name>
The lines starting with # are comment lines. The actual information is in the last three lines of output, which is similar to the permission string obtained earlier. The “user” line refers to the permissions assigned to the file owner “john1.” The “group” line refers to the permissions assigned to other members in the “johns” group. As you guessed it, the “other” line refers to anyone else outside the group.
Let us use the setfaclcommand to modify the existing ACL on the file.
setfacl -m entity:name:permissions <file_name>
| entity | name | permissions |
|---|---|---|
| the value here signifies who the ACL entry is for:
user (u) or group(g) or others(o) |
the name of the user or group, for whom the ACL entry is relevant | the read,write,execute permissions are denoted by the letters r,w,x |
“john2” is first given read, write access to the file,
followed by “jane1.”
Let us view the updated ACL for “secretfile.”
We can see that read and write permissions have been assigned to “john2” and “jane1.”
Verifying the authenticity of the ACL
We can see that “john2” is able to read the file and write to it.
The new information entered by “john2” has been appended to the file.
Likewise, “jane1” gets the same privilege – read access and write access.
But “john3” in the same group is unable to write to the file.
“jane2,” who belongs to the other category, is also unable to write to the file.
Conclusion
The same process can be extended to directories, too. Access Control Lists enable a system administrator to handle file and directory access in an adept manner.
Our latest tutorials delivered straight to your inbox
