Please enable JavaScript.
Coggle requires JavaScript to display documents.
๐ Access Control Lists (ACL) - Enterprise Linux - Coggle Diagram
๐ Access Control Lists (ACL) - Enterprise Linux
๐ 1. Introduction
๐ Definition
Access Control List (ACL) is an advanced Linux permission mechanism.
ACL allows assigning permissions to multiple individual users and groups without changing the file owner or primary group.
ACL extends the standard Linux permission model.
๐ฏ Purpose
Provide fine-grained access control.
Grant different permissions to different users.
Grant permissions to multiple groups.
Support enterprise shared environments.
Follow the Principle of Least Privilege.
๐ข Enterprise Use Cases
Shared project directories
Application configuration directories
Backup directories
Log directories
Finance department files
HR confidential documents
Database backup storage
NFS shared storage
Samba shared folders
DevOps deployment directories
CI/CD pipelines
Compliance environments
๐ 2. Traditional Linux Permissions Review
๐ค Owner (u)
User who owns the file.
๐ฅ Group (g)
Group associated with the file.
๐ Others (o)
Everyone else.
๐ Permission Types
Read (r)
View file contents.
List directory contents.
Write (w)
Modify files.
Create or delete files inside a directory.
Execute (x)
Execute programs.
Enter directories.
๐ Example
rwxr-x---
Owner
rwx
Group
r-x
Others
โ Limitation
Only one owner.
Only one primary group.
Cannot give special permissions to multiple users individually.
๐จ Enterprise Problem
Owner
bilal
Group
developers
Need to give:
Ahmed Read
Ali Read Write
Backup Service Read
SOC Team Read
Auditor Read Only
Traditional permissions cannot achieve this efficiently.
๐ 3. What is ACL
Definition
ACL stores additional permissions beyond owner, group and others.
Think of ACL as
Extra permission list attached to files and directories.
ACL allows
Multiple users
Multiple groups
Different permission levels
Default inheritance
โ๏ธ 4. ACL Components
๐ค User ACL
Specific user permissions.
Example
Ahmed Read
Ali Read Write
๐ฅ Group ACL
Specific group permissions.
๐ Owner ACL
Original file owner.
๐ฅ Owning Group ACL
Original group.
๐ Other ACL
Everyone else.
๐ญ Mask
Maximum effective permission for all ACL users and groups.
Very important in enterprise.
๐ Default ACL
Inherited permissions for new files inside directories.
๐งฑ 5. ACL Architecture
User Request
โ
Linux Kernel
โ
Filesystem
โ
ACL Lookup
โ
Effective Permission Calculation
โ
Allow
Deny
๐พ 6. Filesystem Support
ext4
XFS
Btrfs
ReiserFS
NFS
Samba
๐ Verify Filesystem
Command
df -T
Shows
Filesystem type.
๐ฆ Install ACL Package
Ubuntu Debian
sudo apt install acl
RHEL Rocky Alma
sudo dnf install acl
Verify
getfacl --version
setfacl --version
๐ Important Files
Main executable
/usr/bin/setfacl
View ACL
/usr/bin/getfacl
Mount Information
/etc/fstab
Mounted Filesystems
mount
Current Mounts
/proc/mounts
๐ Verify ACL Support
Command
mount
or
tune2fs -l /dev/sda1
Modern Linux
ACL enabled by default.
๐ 7. ACL Commands
getfacl
Purpose
Display ACL entries.
Syntax
getfacl file
Example
getfacl report.txt
setfacl
Purpose
Create
Modify
Delete ACL
Remove ACL
setfacl -b file
Remove Default ACL
setfacl -k directory
Recursive
setfacl -R
Restore ACL
setfacl --restore
๐ค 8. User ACL
Give Read
setfacl -m u:ahmed:r file
Give Read Write
setfacl -m u:ali:rw file
Give Full
setfacl -m u:bilal:rwx file
View
getfacl file
๐ฅ 9. Group ACL
Read
setfacl -m g:finance:r file
Read Write
setfacl -m g:developers:rw file
Read Write Execute
setfacl -m g:admins:rwx file
๐๏ธ 10. Remove ACL
Remove User
setfacl -x u:ahmed file
Remove Group
setfacl -x g:finance file
Remove Everything
setfacl -b file
๐ญ 11. ACL Mask
Definition
Maximum permission allowed to ACL users and groups.
Example
User ACL
rwx
Mask
r--
Effective Permission
Read Only
Display
getfacl file
Output
mask::r--
Enterprise Importance
Most common ACL troubleshooting issue.
๐ 12. Default ACL
Definition
Automatically inherited by newly created files and directories.
Set
setfacl -m d:u:ahmed:rwx project
Group
setfacl -m d:g:developers:rwx project
View
getfacl project
Output
default:user
default:group
Enterprise Use
Shared project folders
Development repositories
Team collaboration
NFS shares
๐ 13. ACL Evaluation Order
Step 1
Root
Step 2
Owner
Step 3
Named User ACL
Step 4
Mask
Step 5
Group ACL
Step 6
Others
๐ 14. Effective Permissions
Final permission equals
ACL Entry
AND
Mask
Example
ACL
rwx
Mask
rw-
Effective
rw-
๐ข 15. Enterprise Shared Directory Example
Directory
/projects
Owner
root
Group
developers
Enable Group Inheritance
chmod 2775 /projects
Default ACL
Developers
rwx
QA
Read
Backup
Read
CI Server
Read Write
New files inherit automatically.
๐ 16. Backup ACL
Save ACL
getfacl -R /projects > acl.backup
Restore ACL
setfacl --restore=acl.backup
Enterprise Usage
Disaster Recovery
Migration
Server Replacement
๐ 17. Monitoring ACL
View ACL
getfacl file
List Files with ACL
find / -acl
Long Listing
ls -l
Indicator
+
Example
-rw-rw-r--+
Plus Sign
ACL exists.
โ ๏ธ 18. Common Errors
Operation not supported
Filesystem lacks ACL support.
Permission denied
Not owner or root.
Mask removes permissions
Effective permission becomes lower.
Default ACL not inherited
Missing default ACL.
๐ก๏ธ 19. Security Best Practices
Principle of Least Privilege
Never grant unnecessary Write permission.
Review ACL periodically.
Audit ACL regularly.
Remove unused ACL entries.
Backup ACL before migration.
Use groups whenever possible.
Use individual user ACL only when necessary.
Monitor critical directories.
Document ACL changes.
Integrate with IAM policy.
๐ 20. Enterprise Workflow
Create Directory
Assign Owner
Assign Group
Enable SetGID
Configure Standard Permissions
Configure User ACL
Configure Group ACL
Configure Default ACL
Verify ACL
Test Access
Backup ACL
Audit ACL
Monitor Changes
๐งช 21. Enterprise Lab
Step 1
Install ACL package
Step 2
Create project directory
Step 3
Create users
Step 4
Create groups
Step 5
Assign ownership
Step 6
Enable SetGID
Step 7
Configure ACL
Step 8
Configure Default ACL
Step 9
Verify using getfacl
Step 10
Test each user
Step 11
Backup ACL
Step 12
Restore ACL
Step 13
Remove ACL
Step 14
Audit permissions
Step 15
Document implementation
๐ฏ 22. Interview Questions
What is ACL?
Difference between chmod and ACL?
Difference between standard permissions and ACL?
What is setfacl?
What is getfacl?
What is ACL Mask?
What is Default ACL?
How to remove ACL?
How to backup ACL?
How to restore ACL?
What does the plus sign (+) in ls -l mean?
How do ACLs interact with SetGID?
Why are ACLs used in enterprise environments?
How do ACLs support the Principle of Least Privilege?
โญ 23. Enterprise Best Practice Summary
Use standard permissions for simple access control.
Use groups for department-wide access.
Use ACLs for exceptions and fine-grained control.
Use Default ACLs on collaborative directories.
Use SetGID with shared directories to preserve group ownership.
Always verify ACLs with getfacl.
Watch the ACL Mask because it limits effective permissions.
Backup ACLs before migrations or disaster recovery.
Audit ACLs regularly to maintain compliance and security.
Prefer group ACLs over many individual user ACLs to simplify administration.