An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. Each entry in a typical ACL specifies a subject and an operation. ACL allows you to give permissions for any user or group to any disc resource.

There are two types of ACLs:

1- Access ACL
2- Default ACL

Access ACL

Access ACL are utilized to give assurance for a file system object.

Default ACL

Default ACL can only be applied to a directory. If files/folders placed under that directory won’t have a ACL set, they inherit the default ACL of their parent directory .
ACLs can be configured per user, per group, or per user not in the owning group of a file and also can be configured using UMASK.
Permissions must be defined in characters r,w and x in ACLs.
ACLs are set and removed using setfacl, with either the -m or -x options, respectively.

Configure Access ACL:

Setting ACL on a folder for users.

First we gonna create multiple users “zack” and “zeeshan

useradd zack
useradd zeeshan

Then, create a example directory which we gonna use for ACL.

mkdir exampledir
ls -lh

Then set Access ACL on that directory

setfacl -R -m u:zack:rwx exampledir
setfacl -R -m u:zeeshan:r-x exampledir

Setfacl Command to set ACL
-R recursively for directory.
-m to add or modify acl.
u used for user.
rwx permissions read, write and execute.

Now run following command

ls -lh

Now we will see a plus (+) sign along with permissions section of exampledir folder. It shows that ACL is set on that file/folder.

List configured ACL

Command to see configured ACLs is getfacl

getfacl exampledir

Now user zack has full permissions on testdir he can create, modify files/folder in exampledir.
But user zeeshan has limited permissions on testdir he cannot create files/folder in exampledir.

Set acl on a folder for a group

First create a group “admin” then, create a new directory.

groupadd admin
mkdir newexampledir
ls -lh

Now set ACL on created directory.

setfacl -R -m g:admin:rwx newexampledir

g It is used to set ACL on group

Now all the member of “admin” group will have rwx permissions on newexampledir folder.

getfacl newexampledir

Set acl on a folder for a group and a user.
Always keep in mind users have high priority then groups in ACL.

Create a group “support

groupadd support

Then, create two users and assign them “support” group

useradd razee -g support
useradd zaheer -g support
Now, create a exmp folder
mkdir exmp 
ls -lh

set ACL for “support” group and “razee” user

 setfacl -R -m g:support:rwx exmp
 setfacl -R -m u:razee:r-x exmp
 getfacl test

In above scenario both users razee and zaheer are member of support group.
but user razee is also have separate acl for it. (It means user razee acl has high priority over group acl).
zaheer has full access on exmp folder, e.g. he can make files/folders in that folder.
But razee cannot create files/folders in exmp folder because he do not has full w(write) permission.

Set ACL for others

we will set it on exmp folder.
Let’s for instance azam is other user. It means he is not the owner nor the member of that “exmp” folder’s group.

useradd azam
setfacl -R -m o:r-x exmp
getfacl exmp

Now user azam has read and execute permissions on exmp folder. It means it can read all files folders under exmp folder.

Assign full permissions to user “azam”

setfacl -R -m o:rwx exmp
getfacl exmp

Now user azam has full permissions on exmp folder. It means it can read, write, modify files folders under exmp folder.

Remove all Permission from user “azam

setfacl -R -m o:--- exmp
getfacl exmp

Now user azam has no permissions on exmp folder. It means it cannot go to exmp folder.

To remove single/desired ACL from a file/folder.
we will remove ACL of user zack from exampledir folder.

setfacl -R -x u:zack exmp
getfacl exmp

x it is used to remove ACL

To remove all the ACLs from a file/folder:
we will remove ACLS from exmp folder

setfacl -R -b exmp
getfacl exmp

-b used to remove all ACLs

Default ACL

The default ACL is a specific type of permissions assigned to a directory, default ACL doesn’t change the permissions of the directory itself, but specified permission in that ACL will set by default on all the folders which will be created inside of it for specified user, group and other users.
We can say the default ACL permissions on parent directory inherit by subdirectories.

We will set default ACL for user zeeshan.

mkdir exampledir1
setfacl -m d:u:zeeshan:rx exampledir1
getfacl exampledir1

d it used to set default ACL.

Now each directory created under test directory will have default permission of rx for user zeeshan.

Now we will set default ACL for group admin.

setfacl -m d:g:admin:rwx exampledir1
getfacl exampledir1

We will set default ACL for other

setfacl -m d:o:--- exampledir1
getfacl exampledir1

That’s about it.