Linux – ACL vs standard file permissions – which are used when accessing file


ACLs and standard file permissions seem to be synchronized:

$ getfacl test.cpp
# file: test.cpp
# owner: scdmb
# group: scdmb

$ ls -l test.cpp
-rw-rw-r-- 2 scdmb scdmb 173 Jan  1  1970 test.cpp

However as I've read there are two locations in inode to save file permissions (i_mode field) and these extended file attributes where ACLs are placed. So when I access file then which file permissions are used – standard or ACLs? Or maybe this is the same thing presented in different ways?

Best Answer

  • From the getfacl manpage:

    The output format of getfacl is as follows:

               1:  # file: somedir/
               2:  # owner: lisa
               3:  # group: staff
               4:  user::rwx
               5:  user:joe:rwx               #effective:r-x
               6:  group::rwx                 #effective:r-x
               7:  group:cool:r-x
               8:  mask:r-x
               9:  other:r-x
              10:  default:user::rwx
              11:  default:user:joe:rwx       #effective:r-x
              12:  default:group::r-x
              13:  default:mask:r-x
              14:  default:other:---

    Lines 4, 6 and 9 correspond to the user, group and other fields of the file mode permission bits. These three are called the base ACL entries. Lines 5 and 7 are named user and named group entries. Line 8 is the effective rights mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others permis- sions are not affected by the effective rights mask; all other entries are.) Lines 10--14 display the default ACL associated with this direc- tory. Directories may have a default ACL. Regular files never have a default ACL.

    The fact that yours shows lines only with :: and not <user|group|other>:<name>:<perms> indicates that you have no extended ACLs. For this particular file, you are just using getfacl as a fancy way of obtaining the same info as would show in ls -la (the user/group/other permission bits aka the "base ACL".)

    As for which permissions are used: the short answer is it depends on the order of the ACLs. See here and here for details. In general, if a deny comes first in the ACL list, it is impossible to later on give the permission back with an explicit allow. Denies always take precedence.

    There's an even longer article with more references here on Unix.SE.

  • Related Question