How are ACL permissions processed and in what order do they apply to a given user action?
This is kind of a broad topic and a little too much to cover here. I'll refer you to the POSIX Access Control Lists on Linux whitepaper put together by Andreas Grünbacher of the SuSE Labs. It does a pretty good job of covering the subject and breaking it down so you understand how ACLs work.
Your example
Now let's take a look at your example and break it down.
- group (sales)
- members of sales group (bob, joe)
Now let's break down the permissions on file /home/foo/docs/foo.txt
. ACLs also encapsulate the same permissions that most people should be familiar with on Unix, mainly the User, Group, and Other bits. So let's pull those out first.
user:: r--
group::r--
other::---
These would typically look like this in an ls -l
:
$ ls -l /home/foo/docs/foo.txt
-r--r----- 1 jane executives 24041 Sep 17 15:09 /home/foo/docs/foo.txt
You can see who owns the file and what the group is with these ACL lines:
# owner: jane
# group: executives
So now we get into the nitty gritty of ACLs:
user:bob:rw-
user:joe:rwx
group:sales:rwx
This is showing that user bob
has rw
, while user joe
has rwx
. There is also a group which also has rwx
similar to joe. These permissions are as if the user column in our ls -l
output had 3 owners (jane, bob, and joe) as well as 2 groups (executives & sales). There is no distinction other than they are ACLs.
Lastly the mask
line:
mask::rwx
In this case we're not masking anything, it's wide open. So if users bob and joe have these lines:
user:bob:rw-
user:joe:rwx
Then those are their effective permissions. If the mask were like this:
mask::r-x
Then their effective permissions would be like this:
user:bob:rw- # effective:r--
user:joe:rwx # effective:r-x
This is a powerful mechanism for curtailing permissions that are granted in a wholesale way.
NOTE: The file owner and others permissions are not affected by the effective rights mask; all other entries are! So with respect to the mask, the ACL permissions are second class citizens when compared to the traditional Unix permissions.
References
Related videos on Youtube
Mike B
Updated on September 18, 2022Comments
-
Mike B over 1 year
CentOS 6.4
I'm trying to better understand how filesystem ACL rules are processed and in what order ACL rules apply.
For example, let's say users bob and joe belong to a group called sales. Let's also say that I have a sales document with the following details:
[root@Maui ~]# getfacl /home/foo/docs/foo.txt getfacl: Removing leading '/' from absolute path names # file: home/foo/docs/foo.txt # owner: jane # group: executives user:: r-- user:bob:rw- user:joe:rwx group:sales:rwx group::r-- mask::rwx other::---
My question is, how are permissions processed in an example like this and what access privileges take precedence?
Is there just a top-down search and whatever rule matches first is the one that applies?
Or does Linux enforce access based on what is the most specific rule for the user in question? Or perhaps the most restrictive and applicable rule takes precedence?