In this tutorial, we will learn about ACL Mask in Linux (Access Control Lists Mask) using step by step guide. The ACL mask serves as a maximum effective permission setting for users, groups, or named entities in a file’s Access Control List (ACL). It is called as mask because it overrides the permissions granted by specific ACL entries. We will cover in depth concept of ACL Mask in the upcoming section of this tutorial. So, let us get started.
What is ACL in Linux?
In Linux, ACL (Access Control List) is a method to extend the standard file permission system by allowing you to define permissions for specific users and groups beyond the owner, group and others. While the traditional Unix permissions (read, write, execute for the owner, group and others) are limited to three levels, ACLs allow you to define permissions for specific users and groups beyond these basic levels.
Understanding Masks in ACL
Also read: Mastering Bash Concatenate Strings in Linux: [10 Best Examples]
In Linux ACL, mask is a component that determines the maximum permission allowed for a user/group. It overrides the permission setup by default ACL entries for a file or directory. When we execute the command getfacl, we see the mask and the effective permission caused by the mask for a particular file or directory. I have created a new file “tutorial.py” using touch command.
When we execute getfacl command for this file, we will observe that even though the group docker have (r-x) permission to the file tutorial.py, due to the mask (rw-), the effective permission will be reduced to ( r–). When we set the acl for a file or directory, a mask will get auto assigned to that file or directory.
Example-1:
[root@linuxnasa]# touch tutorial.py [root@linuxnasa]# getfacl tutorial.py # file: tutorial.py # owner: root # group: root user::rw- user:nasa:rw- group::r-x #effective:r-- group:docker:r-x #effective:r-- mask::rw- other::r--
How Mask get the Permission?
Let us now understand how the permission of mask is calculated. Mask takes the union of the permission given to users and groups. In the below example, I have created a new directory called “antifactory”. The user and group permission set for directory antifactory is (r- – r – – – – – ). I have assigned an acl for user “nasa” with read and write permission (rw-). As mask will be the union of (r – -,r – -) and (rw-), hence the mask value is read and write (rw).
Example-2:
[root@linuxnasa]# mkdir antifactory #assigning r-- r-- [root@linuxnasa]# chmod 440 antifactory #assigning rw- via acl for user [root@linuxnasa]# setfacl -m u:nasa:rw- antifactory # union of r--,r-- & rw- is rw-; so mask will rw- [root@linuxnasa]# getfacl antifactory # file: antifactory/ # owner: root # group: root user::r-- user:nasa:rw- group::r-- mask::rw- other::---
Example-3:
We will see one more example where directory “tutorial” is having read and execute permission (r-xr-x- – -) for user and group. I have assigned an acl for group “docker” with read and write permission (rw-). In this case, mask will be read, write and execute (rwx) that is the the union of (r-x,r-x) and (rw-) as shown below.
[root@linuxnasa]# mkdir tutorial [root@linuxnasa]# ls -dl tutorial drwxr-xr-x. 2 root root 4096 Nov 18 21:35 tutorial #assigning r-x,r-x [root@linuxnasa]# chmod 550 tutorial #assigning rw- via acl for group [root@linuxnasa]# setfacl -m g:docker:rw- tutorial #union of r-x,r-x & rw- is rwx; so mask will be rwx [root@linuxnasa]# getfacl tutorial # file: tutorial # owner: root # group: root user::r-x group::r-x group:docker:rw- mask::rwx other::---
Example-4:
In this example, directory “resource” is having read permission for user and read write for group (r- -,rw- – – -). I have assigned an acl for user nasa with read (r- -). The mask will be set to read, write (rw-), that is the union of (r–,rw-) and (r-).
[root@linuxnasa]# mkdir resource #assigning r--,rw- [root@linuxnasa]# chmod 460 resource #assigning r-- via acl for user [root@linuxnasa]# setfacl -m u:nasa:r resource #union of r--,rw- & r-- is rw-; so mask will be rw- [root@linuxnasa]# getfacl resource # file: resource # owner: root # group: root user::r-- user:nasa:r-- group::rw- mask::rw- other::---
Default ACL Mask
We assign a default acl to a directory, so that any new directories or files created inside the parent directory will automatically get an acl applied to it. In case of directory the default acl will be applied to both default and access acl. The mask value also will be same as the mask in the default acl of the parent directory.
In case of file, the default acl of the parent directory will be applied as access acl of the file. But as we have seen in acl behavior, if the default acl is having execute access for user. It will not be transferred to the newly created file. Same is the case for mask also. Let us validate all these understanding using below example.
Example-5:
In this example, directory cloud is having read access for user and group (r- – ,r- – ). The ACL for user nasa with read and write access is given (rw-). The default ACL for group docker with read and execute (r-x) is given. Here, for access ACL , the mask will be (rw-), since union of (r- -,r- -) and (rw-) is (rw-). For Default ACL, the mask will be (r-x), since union of (r- -,r- -) and (r-x) is (r-x).
[root@linuxnasa]# mkdir cloud #assigning r--,r-- [root@linuxnasa]# chmod 440 cloud/ #assigning rw- via access acl for user [root@linuxnasa]# setfacl -m u:nasa:rw- cloud/ #assigning r-x via default acl for group [root@linuxnasa]# setfacl -m d:g:docker:r-x cloud/ # See cmd output in line for explanation [root@linuxnasa]# getfacl cloud/ # file: cloud/ # owner: root # group: root user::r-- user:nasa:rw- group::r-- #union of r--,r-- & rw- is rw-; so mask will be rw- mask::rw- other::--- default:user::r-- default:group::r-- default:group:docker:r-x #union of r--,r-- & r-x is r-x; so mask will be r-x default:mask::r-x default:other::---
Next, create a new directory inside the parent directory where default acl is present. We will observe that the default acl including mask from the parent directory will be transferred to the newly created directory (access and default). Again, create a file inside the parent directory where default acl is present. We will observe that the default acl including mask from the parent directory will be transferred to the newly created file. But the execute permission of the mask and the user will not be transferred.
Example-6:
[root@linuxnasa]# getfacl cloud/ # file: cloud/ # owner: root # group: root user::r-- user:nasa:rw- group::r-- mask::rw- other::--- default:user::r-- default:group::r-- default:group:docker:r-x default:mask::r-x default:other::--- [root@linuxnasa]# cd cloud/ [root@linuxnasa cloud]# mkdir teams #default ACL (including mask) is transferred to the new directory [root@linuxnasa cloud]# getfacl teams # file: teams # owner: root # group: root user::r-- group::r-- group:docker:r-x mask::r-x other::--- default:user::r-- default:group::r-- default:group:docker:r-x default:mask::r-x default:other::--- [root@linuxnasa cloud]# touch file1 # Default ACL (including mask) is transferred. But the execute permission of the mask will not be transferred from the default acl [root@linuxnasa cloud]# getfacl file1 # file: file1 # owner: root # group: root user::r-- group::r-- group:docker:r-x #effective:r-- mask::r-- other::---
How to Change ACL Masks?
In Linux, there are two ways available to change the ACL mask. These methods are:
Let us understand each method one by one.
Using chmod Command
In this method, whenever we change the group permission for a file or directory using chmod command , it directly changes the mask permission. In the below example, I have changed the group permission for file file1 multiple times. Observe how it is changing the mask permission.
Example-7:
[root@linuxnasa]# chmod 760 file1 [root@linuxnasa]# getfacl file1 # file: file1 # owner: root # group: root user::rwx user:nasa:rw- group::r-- mask::rw- other::--- [root@linuxnasa]# chmod 740 file1 [root@linuxnasa]# getfacl file1 # file: fle1 # owner: root # group: root user::rwx user:nasa:rw- #effective:r-- group::r-- mask::r-- other::--- [root@linuxnasa]# chmod 700 file1 [root@linuxnasa]# getfacl file1 # file: file1 # owner: root # group: root user::rwx user:nasa:rw- #effective:--- group::r-- #effective:--- mask::--- other::---
Using setfacl Command
In this method, we will use setfacl command to override the default mask permission. It follows the syntax
setfacl -m m::<permission> <file/directory>
In the below example, I have changed the mask permission for file “file1” to read, execution (r-x) using setfacl command.
Example-8:
[root@linuxnasa]# setfacl -m m::r-x file1 [root@linuxnasa]# getfacl file1 # file: file1 # owner: root # group: root user::rwx user:nasa:rw- #effective:r-- group::r-- mask::r-x other::---
More Articles
How to Install MariaDB in Linux [5 Easy Steps]
Loop through Array in Javascript [8 Best Ways]