Difference between chmod vs ACL
Solution 1
One is not better than the other, they are just different methods and way of thinking.
You can use both permissions system on the same path without problems.
They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.
Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group. ACL also allows setting default permissions for new files in a folder.
You can add more permission management on top of both with apparmor or selinux for stricter control.
Solution 2
The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.
See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.
The chmod
command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.
Related videos on Youtube
mFeinstein
Computer Engineer and once a part of Team Riobotz Interested in all aspects of software, electronics, robotics and creative stuff in general. For the curious ones, here's one of the coolest projects I ever made: https://www.youtube.com/watch?v=RQsRtQoXyVA If I helped you somehow, consider buying me a coffee at: buymeacoffee.com/Pb0mu6k :)
Updated on September 18, 2022Comments
-
mFeinstein over 1 year
I understand
chmod
andchown
and how the permission bits work, but there is another permission system inside Linux,ACL
withsetfacl
andgetfacl
, so this makes me wonder.What's the difference between those two permission control systems? Do they interfere with each other?
-
mFeinstein about 7 yearsAm I correct in assuming that when I run
ls -l
I am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless? -
Gilles 'SO- stop being evil' about 7 years@mFeinstein Depends. Under Linux,
ls -l
puts a+
at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions. -
mFeinstein about 7 yearsSo in order to truly understand a file's permission I have to check both the ACL and
ls -l
? -
mFeinstein about 7 yearsIs it there a way to see if there is any ACL specific permissions on a file/directory?
-
mFeinstein about 7 yearsOh great! That
+
at least stops me from getting myself off guard -
Gilles 'SO- stop being evil' about 7 years@mFeinstein See if the permissions displayed by
ls
have an extra+
at the end, or run thegetfacl
command to display all the permissions including ACL. -
mFeinstein about 7 yearsJust
getfacl myFile
? -
Zulgrib about 7 yearsYes, getfacl on the path you wish to check.
-
pgoetz over 2 years
ACL override POSIX permissions
This is exactly backwards. There is a principle of "least surprise" which dictates that effective ACLs will reduce permissions to match the POSIX permissions. So, for example if your primary group has r-x permission, you can set an ACL for another group with rwx, but this new group will effectively only have r-x permissions.