In this section, we will give you a brief introduction to how ACLs, or access control lists, work.
Linux has some special file and folder permissions, namely the ACLs, setuid, setgid, and sticky bit. If you look at the file in the filesystem, such as a new file that only the root user has access to, currently we are logged in as olip:
As you can see, the olip user has no write access on that file. Maybe you have already asked yourself this question: how can you give permissions to a file or folder to individual users who are not the file or group owner, in our example root? The only way is to use the others group, but this is not individual as all users who are not the file or group owner fall into this category. But here, we want to set single user permissions; for example, for the olip user.
Access control lists, or ACLs, is a system that extends our normal file access control under Linux with its simple ownership and permission model. With ACLs you can define file or folder permissions on a single user or group-level basis. To work with ACLs, use the getfacl and setfacl commands.
For example, to display ACLs, use the getfacl command and then the filename where you want to show permissions:
Here, as you can see, no ACLs have currently been set on this file. As with normal file permissions, if we want to change something, we need to log in as root. Now, to set ACLs, for example, for the olip user, use the following command. If you remember Chapter 3, The Linux Filesystem, this should be self-explanatory:
To display the ACL, again view the ACL of this file. If you compare the getfacl command output before and after, you will see that we now have single user permissions for the olup user: read, write, and execute. Now, the olip user should be able to write to this file:
Success; the ACLs are working as expected.
You can also set ACLs on a group-level basis. Here, instead of using the user, we will use the group identifier. To remove a single ACL, use the -x flag. You can also see if a file has an ACL set by the marked plus in the output of the ls -l command:
