opened image

Administration of Access Rights in Linux Using ACL

Introduction

 

Managing access rights on Linux OS for various directories and documents is one of the main elements of system protection, functioning, and stability. The classic permission structure is often not sufficient, especially in cases where the space has a complex structure, many users, different groups, and non-standard permission requirements. This model in Linux has three levels of access rights: owner (user), group (group), and others (others). There are also three main categories of permissions: read (r), write (w), and execute (x).

 

The capabilities of the basic permission model can be extended using ACL – Access Control List. By applying this management list, you can set permissions simultaneously for multiple users and groups – an extremely useful system for large companies and organizations, since a document or directory can be accessible to different departments with different levels of access.
 

 

Key capabilities of ACL:

  • Applying permissions to multiple users and groups without changing the document owner.
  • Adaptable administration of access functions, including inheritance of permissions for newly created files.
  • The ability to set specific denials, expand access without affecting basic (rwx) permissions.

Using ACL helps administrators manage access to data more efficiently and securely, especially on file servers, in corporate networks, and in environments with a high degree of multi-user interaction.
 

 

 

Step 1. Enabling ACL support

 

Checking the system for ACL support

 

Before installing and activating Access Control List, you should make sure that the file system supports it. Note that modern systems like ext4, xfs, and btrfs are definitely compatible with ACL. To verify that ACL is enabled, use the command:

tune2fs -l /dev/sda1 | grep acl

If the output contains Default mount options: user_hattr acl, then ACL is already enabled.

 


For XFS:

mount | grep xfs

 

If ACL is not enabled, remount the system with ACL support:

sudo mount -o remount,acl /dev/sda1 /

 

 

Installing ACL packages

 

In most Linux distributions, ACL tools are already preinstalled. If they are not, install them manually:

sudo apt install acl  # Для Debian/Ubuntu

Administration of Access Rights in Linux Using ACL - 1

sudo yum install acl  # Для RHEL/CentOS
sudo dnf install acl  # Для Fedora

 

 

 

Step 2. Basic ACL commands

 

Инсталляция разрешений для документов и директорий (setfacl)


Use setfacl to assign rights to a specific user:

setfacl -m u:username:rwx file.txt

Administration of Access Rights in Linux Using ACL - 2

 

Where:

  • -m — modify the ACL list.
  • u:username:rwx — assigns rwx permissions to user username.

Setting permissions for a specific group:

setfacl -m g:developers:rx file.txt

For multiple users:

setfacl -m u:user1:r,u:user2:rw file.txt

 

 

Viewing current permissions (getfacl)

 

To view installed ACL:

getfacl file.txt

Output:

# file: file.txt
# owner: root
# group: root
user::rw-
user:username:rwx
group::r--se
mask::rwx
other::r–

Administration of Access Rights in Linux Using ACL - 3

 

 

 

Step 3. Inheriting permissions

 

New files and directories, and configuring permissions for them


To make new files inherit existing ACL, use the d:: parameter: d::

setfacl -m d:u:username:rwx directory/

 

 

Using the ACL mask


The (mask) restricts users and groups from getting maximum permissions. To set the mask, use:

setfacl -m m::rx file.txt

 

 

 

Step 4. Practical examples

 

Denying access to certain users


For example, deny access to user guest:

setfacl -m u:guest:--- file.txt

Administration of Access Rights in Linux Using ACL - 4

 

 

Administering group access

 

To grant the admins group unrestricted permissions, run:

setfacl -m g:admins:rwx /data

 

 

Conclusion

 

Working with ACL in Linux provides a high-quality and well-adapted tool for managing access rights. Unlike standard rwx permissions, ACL can configure access permissions to files and directories in detail, taking into account the individual needs of specific users and entire groups. Additionally, it enables implementing complex permission schemes in systems with many users.


However, being a security mechanism, ACL also requires correct configuration and regular monitoring. A few key recommendations for effective ACL use:

 

  • Avoid excessive complexity if standard permissions (chmod) are enough, use them. Overuse of ACL can complicate administration.
  • Periodically review configurations – use getfacl to analyze existing access permissions. This should be done to verify the correctness of assigned user privileges.
  • Configure inheritance this will help automatically apply ACL to all new files in a directory.
  • Remove outdated ACL – if access is no longer needed, clear ACL lists (setfacl -b) to avoid confusion.
  • Log permission edits – in a corporate environment, it is recommended to keep logs of changes to track who made changes and when

 

Proper use of ACL helps make the system more secure, controlled, and easier to manage. With correct configuration, administrators can effectively manage file access without constantly changing file owners or groups.