Technically Feasible

Using POSIX Access Control Lists

Likeness of Michael Oldroyd
Michael Oldroyd

For most unix-based filesystems, file permissions are baked into the filesystem itself. Each file has an owner, a group-level and public access levels, with the ability to restrict read, write and execute for each level. This is sufficient flexibility for most use-cases.

There might be some situations where you would like a separate user or group to maintain a different level of access to certain parts of the filesystem.

On debian, install the command-line tools;

$ apt-get install facl

Imaginary convoluted scenario! #

Now you have access to apply ACLs. Enter our first actor paula, who works on a shared environment with steve. She has some important files that she wishes to allow steve full access, without providing access to all of her other files. Here are the top-level folder contents;

$ ls -alh
total 20K
drwxr-xr-x  3 paula paula 4.0K Nov 25 17:59 .
drwxr-xr-x 16 paula paula 4.0K Nov 25 10:05 ..
drwxr-xr-x  2 paula paula 4.0K Nov 25 10:05 .dat
-rw-r--r--  1 paula paula  131 Nov 25 10:05 dat.json
-rw-r--r--  1 paula paula   64 Nov 25 17:59 index.html

We can check the current ACL settings of the current directory;

$ getfacl .
# file: .
# owner: paula
# group: paula
user::rwx
group::r-x
other::r-x

The directory has no ACLs configured. paula would like steve to have write access to everything. She don't want steve to be able to read or modify other files she owns, so ACLs could be an appropriate choice in this case;

$ setfacl -Rm u:steve:rwx,d:u:steve:rwx .
$ getfacl .
# file: .
# owner: paula
# group: paula
user::rwx
user:steve:rwx
group::r-x
mask::rwx
other::r-x

As you can now see, user:steve:rwx now has rwx permissions on the directory.

  • -R requests permissions be applied recursively
  • -m appends this ACL to existing ACLs, as opposed to replacing.
  • u:steve:rwx applies the ACL to all existing files [1]
  • d:u:steve:rwx applies the default ACL for new files and folders added.
  • . is the path, which in this case is the current working directory.

Steve is now able to modify and create new files within Paula's directory.

ACL Masking #

It's worth noting that an ACL may never exceed the access level granted to the actual owner and group;

$ getfacl test.md
# file: test.md
# owner: paula
# group: paula
user::rw-
user:steve:rwx                  #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--

So as you can see above, although the ACL user:steve:rwx grants rwx, the user default grant provides only rw- as demonstrated by the #effective:rw-.


  1. Thanks, StackOverflow ↩︎

Image of me

Michael Oldroyd

Michael is a Software Engineer working in the North West of England.