Implementing Access Control Lists for directories in Linux


What Does an Access Control List comprise Of?
Regardless of what routing platform is used, all have a similar profile in defining an access control list. More advanced lists have more distinct control, but all ACLs follow a general guideline which are as follows:

  • Access control list name (depending on the router it could be numeric or combination of letters and numbers)
  • A sequence number or term name for each entry
  • A statement of permission or denial for that entry
  • Examples include IP, IPX, ICMP, TCP, UDP, NETBIOS and many others
  • Destination and Source targets

Types of Access Control

There are different types of access control lists and most are defined for special purposes or protocol for the system. Reflexive ACLs, (also known as IP Session ACLs), are intended from an outbound ACL for traffic initiated from the internal network. The routing platform will identify the new traffic direction and create an entry in a separate ACL for the inbound path. Once the session ends, the entry in the reflexive ACL is removed.

Dynamic ACLs or (lock-and-key ACLs) are created to allow user access to a specific source/destination host through a user authentication process.

Implementation of ACLs for Linux directories (CentOS7)

ACL provides additional flexible permission mechanism for file system on a Linux system. It enhance the traditional UNIX file permissions for files & folder. With ACL, you can give permissions for any user or any group with fine-grained access rights.

ACLs can be configured per user, per group or via the effective rights mask. These permissions then can be apply to an individual user or a group, and also you can use the same as rwx (Read, Write, Execute) found in regular file / folder permissions.

Support for ACLs happens at the kernel level. Along with support in the kernel, the acl package is also required to implement ACLs. Acl package contains the utilities used to add, modify, remove, and retrieve ACL information from a file / folder.

ACL functionality must be enabled at the kernel level……. ensure that you enable it using the next commands if the program is missing….

First check whether your current kernel installation supports acl.

cat /boot/config-3.10.0-123.el7.x86_64 | grep _ACL
rpm -qa | grep acl
yum install acl

Before implementing an ACL for a file/directory, the partition where the file/directory resides should be mounted with ACL support.

You can issue the following command syntax to enable mounting.

mount /dev/sdb /work

The, /dev/sdb is a disk device block and work is the folder where it will be mounted for access.

edit the file /etc/fstab as required……….. for the /dev/sdb partition and you will need to include the acl as follows.

This will mount make the settings in /dev/sdb permanent so that it will be run automatically after boot.

Edit /etc/fstab using vi or your favorite editor.

vim /etc/fstab

and type the following..

/dev/sdb /work ext4 acl 1 2

Just to be sure that the disk can be mounted with ACL support, you can run the mount command

mount -o remount,acl /dev/sdb

you can check whether the partition has been mounted using. mount or df -h

To demonstrate the scenario with ACL, we need 2 (two) users as ACL in Linux is related to users. Let’s create a user first.

Issue these following command to add a user “russell”.

useradd russell

You can use whatever user name you wish for adding.

Now, let’s set password for this user account. You can set whatever password you wish for this article only but you have to remember those as well. Issue the below command to set a password.

passwd russell

To test acl, we will need at least two users and I will use root and russell. However you can use different users and it’s up to you.

First we create a file demoacltest.txt in folder /work folder path location.

vim /work/demoacltest.txt

Add some dummy text and save & exit from the file.

Issue the below command to move to the “work” folder path.

cd /work

Let’s change the file ownership for root only by doing the following.

chown root:root demoacltest.txt

Issue this command to see the permissions of the demoacltest.txt file.

ls -l

Issue the below command to move to the “work” folder path.

cd /work

Let’s change the file ownership for root only by doing the following.

chown root:root demoacltest.txt

Issue this command to see the permissions of the demoacltest.txt file.

ls -l

You will see something like this.


Here you can see that, the file has write permission only for the root user. No other user can write or read on it.

Also, you can test the same thing by issuing the below command.

getfacl /work/demoacltest.txt

You will see something like below image.


This will also confirms you that only root has the write permission for this file.

Logout from the system and login into the CentOS7 system by the user russell. Try to write something on the file demoacltest.txt and then save it. You will see that it will give you an error like “Permission denied” and you will not be able to save the added line on to the file as user russell don’t have write privilege for this file.

Now, login into the system by the root user again.

We will add acl for user russell which will allow russell user to write /work/demoacltest.txt file.

setfacl -m user:russell:rwx /work/demoacltest.txt

Here m stands for modify.

Now, logout from the system and login into the system by the user russell. Now try to edit this file. This time you can do this with the help of acl .

Removing any acls

To remove all of the currently defined ACLs from a file or folder, issue the below command.

setfacl -b demoacltest.txt

Here, demoacltest.txt is a file name.