Chapter #17: Linux Access Control Lists (ACLs) and Disk Quotas
In this article, youโll learn how to set up Access Control Lists (ACLs) and disk quotas in Linux to manage user permissions and storage limits effectively.
Access Control Lists (also known as ACLs) are a feature of the Linux kernel that allows to define more fine-grained access rights for files and directories than those specified by regular ugo/rwx permissions.
For example, the standard ugo/rwx permissions does not allow to set different permissions for different individual users or groups. With ACLs this is relatively easy to do, as we will see in this chapter.
Checking File System Compatibility With ACLs
To ensure that your file systems are currently supporting ACLs, you should check that they have been mounted using the acl option.
To do that, we will use tune2fs for ext2/3/4 file systems as indicated below. Replace /dev/sda1 with the device or file system you want to check:
tune2fs -l /dev/sda1 | grep "Default mount options:"
(With XFS, Access Control Lists are supported out of the box).
acl to /etc/fstab. However, itโs still a good practice to check.In the following ext4 file system, we can see that ACLs have been enabled for /dev/xvda2:
If the above command does not indicate that the file system has been mounted with support for ACLs, it is most likely due to the noacl option being present in /etc/fstab.
In that case, remove it, unmount the file system, and then mount it again, or simply reboot your system after saving the changes to /etc/fstab.
Additional Note: To check if the acl feature is compiled into the kernel, you can run:
grep ACL /boot/config-$(uname -r)
Look for CONFIG_FS_POSIX_ACL=y or CONFIG_EXT4_FS_POSIX_ACL=y.
Introducing ACLs
To illustrate how ACLs work, we will use a group named developers and add users walterwhite and saulgoodman (yes, I am a Breaking Bad fan!) to it:
groupadd developers
useradd walterwhite
useradd saulgoodman
usermod -a -G developers walterwhite
usermod -a -G developers saulgoodman
Before we proceed, letโs verify that both users have been added to the developers group:
id walterwhite
id saulgoodman
Letโs now create a directory called test in /mnt, and a file named acl.txt inside (/mnt/test/acl.txt).
Then we will set the group owner to developers and change its default ugo/rwx permissions recursively to 770 (thus granting read, write, and execute permissions granted to both the owner and the group owner of the file):
mkdir /mnt/test
touch /mnt/test/acl.txt
chgrp -R developers /mnt/test
chmod -R 770 /mnt/test
As expected, you can write to /mnt/test/acl.txt as walterwhite or saulgoodman: