38

I understand chmod and chown and how the permission bits work, but there is another permission system inside Linux, ACL with setfacl and getfacl, so this makes me wonder.

What's the difference between those two permission control systems? Do they interfere with each other?

Chaminda Bandara
  • 423
  • 1
  • 7
  • 22

2 Answers2

18

One is not better than the other, they are just different methods and way of thinking.

You can use both permissions system on the same path without problems.

They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.

Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group. ACL also allows setting default permissions for new files in a folder.

You can add more permission management on top of both with apparmor or selinux for stricter control.

Zulgrib
  • 984
  • 3
    Am I correct in assuming that when I run ls -l I am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless? – mFeinstein May 12 '17 at 00:39
  • 10
    @mFeinstein Depends. Under Linux, ls -l puts a + at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions. – Gilles 'SO- stop being evil' May 12 '17 at 00:42
  • 1
    Oh great! That + at least stops me from getting myself off guard – mFeinstein May 12 '17 at 00:45
  • 1
    ACL override POSIX permissions This is exactly backwards. There is a principle of "least surprise" which dictates that effective ACLs will reduce permissions to match the POSIX permissions. So, for example if your primary group has r-x permission, you can set an ACL for another group with rwx, but this new group will effectively only have r-x permissions. – pgoetz Nov 11 '21 at 10:12
11

The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.

See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.

The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.