Difference between chmod vs ACL

Question

I understand chmod and chown and how the permission bits work, but there is another permission system inside Linux, ACL with setfacl and getfacl, so this makes me wonder.

What's the difference between those two permission control systems? Do they interfere with each other?

score 18 · Answer 1 · answered May 12 '17 at 00:04

18

One is not better than the other, they are just different methods and way of thinking.

You can use both permissions system on the same path without problems.

They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.

Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group. ACL also allows setting default permissions for new files in a folder.

You can add more permission management on top of both with apparmor or selinux for stricter control.

answered May 12 '17 at 00:04

Zulgrib

984

3

Am I correct in assuming that when I run ls -l I am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless? – mFeinstein May 12 '17 at 00:39
10

@mFeinstein Depends. Under Linux, ls -l puts a + at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions. – Gilles 'SO- stop being evil' May 12 '17 at 00:42
1

Oh great! That + at least stops me from getting myself off guard – mFeinstein May 12 '17 at 00:45
1

ACL override POSIX permissions This is exactly backwards. There is a principle of "least surprise" which dictates that effective ACLs will reduce permissions to match the POSIX permissions. So, for example if your primary group has r-x permission, you can set an ACL for another group with rwx, but this new group will effectively only have r-x permissions. – pgoetz Nov 11 '21 at 10:12

score 11 · Answer 2 · answered May 12 '17 at 00:40

11

The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.

See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.

The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.

answered May 12 '17 at 00:40

Gilles 'SO- stop being evil'

829,060

2

So in order to truly understand a file's permission I have to check both the ACL and ls -l? – mFeinstein May 12 '17 at 00:43
Is it there a way to see if there is any ACL specific permissions on a file/directory? – mFeinstein May 12 '17 at 00:44
2

@mFeinstein See if the permissions displayed by ls have an extra + at the end, or run the getfacl command to display all the permissions including ACL. – Gilles 'SO- stop being evil' May 12 '17 at 00:56
2

Just getfacl myFile? – mFeinstein May 12 '17 at 00:58
1

Yes, getfacl on the path you wish to check. – Zulgrib May 13 '17 at 10:03

Difference between chmod vs ACL

2 Answers2

Linked