This is kind of a broad topic and a little too much to cover here. I'll refer you to the POSIX Access Control Lists on Linux whitepaper put together by Andreas Grünbacher of the SuSE Labs. It does a pretty good job of covering the subject and breaking it down so you understand how ACLs work.
Your example
Now let's take a look at your example and break it down.
- group (sales)
- members of sales group (bob, joe)
Now let's break down the permissions on file /home/foo/docs/foo.txt
. ACLs also encapsulate the same permissions that most people should be familiar with on Unix, mainly the User, Group, and Other bits. So let's pull those out first.
user:: r--
group::r--
other::---
These would typically look like this in an ls -l
:
$ ls -l /home/foo/docs/foo.txt
-r--r----- 1 jane executives 24041 Sep 17 15:09 /home/foo/docs/foo.txt
You can see who owns the file and what the group is with these ACL lines:
# owner: jane
# group: executives
So now we get into the nitty gritty of ACLs:
user:bob:rw-
user:joe:rwx
group:sales:rwx
This is showing that user bob
has rw
, while user joe
has rwx
. There is also a group which also has rwx
similar to joe. These permissions are as if the user column in our ls -l
output had 3 owners (jane, bob, and joe) as well as 2 groups (executives & sales). There is no distinction other than they are ACLs.
Lastly the mask
line:
mask::rwx
In this case we're not masking anything, it's wide open. So if users bob and joe have these lines:
user:bob:rw-
user:joe:rwx
Then those are their effective permissions. If the mask were like this:
mask::r-x
Then their effective permissions would be like this:
user:bob:rw- # effective:r--
user:joe:rwx # effective:r-x
This is a powerful mechanism for curtailing permissions that are granted in a wholesale way.
NOTE: The file owner and others permissions are not affected by the effective rights mask; all other entries are! So with respect to the mask, the ACL permissions are second class citizens when compared to the traditional Unix permissions.
References
To change your default group on the fly, use newgrp
:
newgrp some_group
After running that command, you will be in a new shell with your group set to some_group
and files that you create will be in group some_group
. newgrp
may or may not ask for a password depending on how permissions are set.
Related: To find out which groups you belong to, run groups
.
Best Answer
From the standard:
(emphasis in original, footnote added)
That is, if there is a file with user and group
root
and permissions0600
calledacl-test
, containing the single lineread possible
, then:Now if I (as user
fox
) attempt tocat
this:Group permissions are unioned
I happen to be in the groups
users
andwheel
, so we can add specific ACLs for these groups:This is because the
group
entries (considered simultaneously) allow read permission to one of my groups. These can be combined:So now I can both read and write the file, even though the groups that allow these permissions are not the same group.
User-specific permissions override all groups
Since user rules apply before group rules, we can still restrict a given user from reading and/or writing contents:
A mask, if set, overrides almost everything
If a file is meant to be truly read-only to anyone but the owner:
Amusingly, the mask does not override the others permissions, so:
1 The "center column" refers to this image and contains everything except UO and O, so the owning user and others are unaffected by a mask. All groups and non-owning users with defined rules are affected.