CentOS 6.4
I'm trying to better understand how filesystem ACL rules are processed and in what order ACL rules apply.
For example, let's say users bob and joe belong to a group called sales. Let's also say that I have a sales document with the following details:
[root@Maui ~]# getfacl /home/foo/docs/foo.txt
getfacl: Removing leading '/' from absolute path names
# file: home/foo/docs/foo.txt
# owner: jane
# group: executives
user:: r--
user:bob:rw-
user:joe:rwx
group:sales:rwx
group::r--
mask::rwx
other::---
My question is, how are permissions processed in an example like this and what access privileges take precedence?
Is there just a top-down search and whatever rule matches first is the one that applies?
Or does Linux enforce access based on what is the most specific rule for the user in question? Or perhaps the most restrictive and applicable rule takes precedence?
Best Answer
This is kind of a broad topic and a little too much to cover here. I'll refer you to the POSIX Access Control Lists on Linux whitepaper put together by Andreas Grünbacher of the SuSE Labs. It does a pretty good job of covering the subject and breaking it down so you understand how ACLs work.
Your example
Now let's take a look at your example and break it down.
Now let's break down the permissions on file
/home/foo/docs/foo.txt
. ACLs also encapsulate the same permissions that most people should be familiar with on Unix, mainly the User, Group, and Other bits. So let's pull those out first.These would typically look like this in an
ls -l
:You can see who owns the file and what the group is with these ACL lines:
So now we get into the nitty gritty of ACLs:
This is showing that user
bob
hasrw
, while userjoe
hasrwx
. There is also a group which also hasrwx
similar to joe. These permissions are as if the user column in ourls -l
output had 3 owners (jane, bob, and joe) as well as 2 groups (executives & sales). There is no distinction other than they are ACLs.Lastly the
mask
line:In this case we're not masking anything, it's wide open. So if users bob and joe have these lines:
Then those are their effective permissions. If the mask were like this:
Then their effective permissions would be like this:
This is a powerful mechanism for curtailing permissions that are granted in a wholesale way.
NOTE: The file owner and others permissions are not affected by the effective rights mask; all other entries are! So with respect to the mask, the ACL permissions are second class citizens when compared to the traditional Unix permissions.
References