ACL on Linux

Rights management on Linux is enough for most use.
In a few words, a file or a directory belongs to the owner and what you can do is positionning some right to this owner, to his group or all other users (= guests).
This is not bad, but sometimes you (or your application) may need more advanced right management, as on the latest windows versions : putting several owners with different rights, inheritance, etc.
There are named ACL (Access List Management) and they are supported on Linux also.
This is not going to be an how-to but just a brief informative introduction to ACL on Linux. You will find many how-to on the web if you need more.

Fisrt, you will need a kernel that supports ACL. As far as I now, most of modern distributions include it in their 2.6.x kernel.

To ensure, type :

$ grep ACL /boot/config-kernel-version

If your kernel supports it, you will get many lines like :


If you don’t, you will have to recompile your kernel with the right module.

Let’s say that we are going to add ACL management to the /home partition (on /dev/sda3) :

$ mount -t ext3 -o defaults,acl /dev/sda3/ /home

Or, if /home were already mounted :

$ mount -o remount,acl /home

If you want to add it at startup, edit /etc/fstab in the following way :

/dev/sda3       /home               ext3    defaults,acl 0       0

Now take your favorite packages manager and set up ACL tools, which allow us to assign ACL to files. Mine will be :

$ apt-get install acl

Now you can assign ACL using setfacl or consulting them using getfacl.
Use man to get some precise examples of syntax.

Be advised of the following :
– using cp with default does not preserve ACL. Use cp -a.
– using mv always keep ACL.
– in any case, if you copy/move files to a partition which is not mounted with ACL management (or with a file system that does not support it), ACL are lost.
ls -l gives an output with a ‘+‘, that indicates that some ACL are presents. For more information, use getfacl.
– KDE supports ACL in its interface, but Gnome does not yet. Maybe there is a workaround, but I haven’t tried yet.