How to Use Access Control Lists to Control File Permissions on Linux

Access Control List Linux Featured

A very useful feature in Linux is the “Access Control Lists” which controls access to files and directories. Here is how the access control lists work to control the file permissions in Linux.

Note: To thoroughly grasp how access control lists work, we’re first setting up some users and groups on a working Linux system. The following exercise is carried out on a virtual machine running Kali operating system. The root user has the power to add new users to the system and allot them to groups.

Creating users and groups

Firstly, we will log in as root, create users and put them in respective groups as shown in the table below. The users have been given simple names to help comprehend the concept better.

User Group

We will use the adduser command to add new users to the system.

linux file Acl 1

The id command will display the details of the newly created user. It will show the user id (uid), group id (gid) and group name (groups). The user, upon creation, is automatically added to a group with the same name as the user name. That user would be the sole member of the group.

linux file Acl 2

Likewise, users “john2” and “john3” are also created.

adduser john2
adduser john3

Once the three users have been created, use theid command to view the respective user and group ids.

Acl 5

We can see that the three users are in their own groups – 1000, 1001 and 1002. According to the table shown earlier, we want the three users to be in the same group: johns. Since such a group does not exist on the system currently, we will create it with the groupadd command:

groupadd -g <new_group_ID> <group_name>

Acl 7

The new group ID is specified as 5000. If the -g switch is ignored, then the system will automatically pick a group ID. The name of the new group is “johns.” Now the three users – “john1,” “john2” and “john3” – need to be added as members of this group. We will use the usermod command for this task.

usermod -g <group_name> <user_name>

usermod adds the user “user_name” to the group “group_name.” The following figure first displays the uid and gid for “john1” before group change. After the usermod command runs successfully, “john1” is added to the “johns” group with gid 5000.

Acl 8

The same process is done for users “john2” and “john3.”

usermod -g johns john2
usermod -g johns john3

Finally, details of the three users in the “johns” group can be viewed using id command.

Acl 10

We have successfully created three users and added them to the same group.

Similarly, users “jane1” and “jane2” are created and added to the “janes” group with gid 6000. Their details can be viewed using the id command as shown below.

Acl 16

What is the need for Access Control Lists?

Let’s assume user “john1” logs in,

Acl 18

creates a new file in the Home directory,

Acl 19

and adds some content to it.

Acl 20

Using thels command, we view the file’s metadata.

Acl 22

The first few characters in the output, - rw - r - - r - - account for the permission string. Let us dissect it.

rw – r – – r – –
file type permissions john1 has on the file permissions members of johns group have on the file permissions given to others not in johns group

This article is a good primer on file permissions.

What if “john1,” being the file owner, wants to additionally give write permissions only to “john2” and “jane1” but persist with read permissions for “john3” and “jane2?”

rw – r – –

One option would be to create a new group with read, write permissions for “john1,” “john2” and “jane1” and another group with only read permissions for “john3” and “jane2.” In case john1 wishes to modify permissions further for any group member, then more groups need to be created. Creating and managing multiple groups is a burden to the system administrator.

Instead, an “Access Control List” can be created for a file which would clearly state the operations any user can perform on that file.

How to Create an Access Control List (ACL) for a file?

Every file upon creation has an ACL assigned to it. Using it efficiently is simply a matter of modifying it. Only the file owner and root user can modify the ACL of a file.

We can use the getfacl command to view the existing ACL:

getfacl <file_name>

Acl 31

The lines starting with # are comment lines. The actual information is in the last three lines of output, which is similar to the permission string obtained earlier. The “user” line refers to the permissions assigned to the file owner “john1.” The “group” line refers to the permissions assigned to other members in the “johns” group. As you guessed it, the “other” line refers to anyone else outside the group.

Let us use the setfaclcommand to modify the existing ACL on the file.

setfacl -m entity:name:permissions <file_name>
entity name permissions
the value here signifies who the ACL entry is for:

user (u) or group(g) or others(o)

the name of the user or group, for whom the ACL entry is relevant the read,write,execute permissions are denoted by the letters r,w,x

“john2” is first given read, write access to the file,

Acl 32

followed by “jane1.”

Acl 34

Let us view the updated ACL for “secretfile.”

Acl 35

We can see that read and write permissions have been assigned to “john2” and “jane1.”

Verifying the authenticity of the ACL

We can see that “john2” is able to read the file and write to it.

Acl 36

The new information entered by “john2” has been appended to the file.

Acl 37

Likewise, “jane1” gets the same privilege – read access and write access.

Acl 41

But “john3” in the same group is unable to write to the file.

Acl 40

“jane2,” who belongs to the other category, is also unable to write to the file.

Acl 45


The same process can be extended to directories, too. Access Control Lists enable a system administrator to handle file and directory access in an adept manner.

Divya Lakshmanan

Divya divides her time between speculating the existence of aliens and writing about her technical findings.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox