ACL Mask in Linux (Access Control Lists Mask): Step by Step Guide

ACL Mask in Linux (Access Control Lists Mask): Step by Step Guide

In this tutorial, we will learn about ACL Mask in Linux (Access Control Lists Mask) using step by step guide. The ACL mask  serves as a maximum effective permission setting for users, groups, or named entities in a file’s Access Control List (ACL). It is called as  mask because it  overrides the  permissions granted by specific ACL entries. We will cover in depth concept of ACL Mask in the upcoming section of this tutorial. So, let us get started.

 

What is ACL in Linux?

In Linux, ACL (Access Control List) is a method to extend the standard file permission system by allowing you to define permissions for specific users and groups beyond the owner, group and others. While the traditional Unix permissions (read, write, execute for the owner, group and others) are limited to three levels, ACLs allow you to define permissions for specific users and groups beyond these basic levels.

 

Understanding  Masks in ACL

Also read: Mastering Bash Concatenate Strings in Linux: [10 Best Examples]

In Linux ACL, mask is a component that determines the maximum permission allowed for a user/group. It overrides the permission setup by default ACL entries for a file or directory. When we execute the command getfacl, we see the mask and the effective permission caused by the mask for a particular file or directory. I have created a new file “tutorial.py” using touch command.

When we execute getfacl command for this file, we will observe  that even though the group docker have (r-x) permission to the file tutorial.py, due to the mask (rw-), the effective permission will be reduced to ( r–). When we set the acl for a file or directory, a mask will get auto assigned to that file or directory.

Example-1:

[root@linuxnasa]# touch tutorial.py
[root@linuxnasa]# getfacl tutorial.py
# file: tutorial.py
# owner: root
# group: root
user::rw-
user:nasa:rw-
group::r-x #effective:r--
group:docker:r-x #effective:r--
mask::rw-
other::r--

 

How Mask get the Permission?

Let us now understand  how the permission of mask is calculated. Mask takes the union of the permission given to users and groups.  In the below example, I have created a new directory called “antifactory”. The user and group permission set for directory antifactory  is (r- – r – – – – – ). I have  assigned an acl for user “nasa” with read and write permission (rw-).  As mask will be the union of (r – -,r – -) and (rw-), hence the mask value is read and write (rw).

Example-2:

[root@linuxnasa]# mkdir antifactory

#assigning r-- r--
[root@linuxnasa]# chmod 440 antifactory

#assigning rw- via acl for user
[root@linuxnasa]# setfacl -m u:nasa:rw- antifactory

# union of r--,r-- & rw- is rw-; so mask will rw-
[root@linuxnasa]# getfacl antifactory
# file: antifactory/
# owner: root
# group: root
user::r--
user:nasa:rw-
group::r--
mask::rw-
other::---

 

Example-3:

We will see one more example where directory “tutorial” is having read and execute permission (r-xr-x- – -) for user and group. I have assigned an acl for group “docker” with read and write permission (rw-). In this case, mask will be read, write and execute (rwx)  that is the the union of (r-x,r-x) and (rw-) as shown below.

[root@linuxnasa]# mkdir tutorial
[root@linuxnasa]# ls -dl tutorial
drwxr-xr-x. 2 root root 4096 Nov 18 21:35 tutorial

#assigning r-x,r-x
[root@linuxnasa]# chmod 550 tutorial

#assigning rw- via acl for group
[root@linuxnasa]# setfacl -m g:docker:rw- tutorial

#union of r-x,r-x & rw- is rwx; so mask will be rwx
[root@linuxnasa]# getfacl tutorial
# file: tutorial
# owner: root
# group: root
user::r-x
group::r-x
group:docker:rw-
mask::rwx
other::---

 

Example-4:

In this example, directory “resource” is having read permission for user and read write for group (r- -,rw- – – -). I have assigned an acl for user nasa with read  (r- -). The mask will be set to read, write (rw-), that is the  union of (r–,rw-) and (r-).

[root@linuxnasa]# mkdir resource

#assigning r--,rw-
[root@linuxnasa]# chmod 460 resource

#assigning r-- via acl for user
[root@linuxnasa]# setfacl -m u:nasa:r resource

#union of r--,rw- & r-- is rw-; so mask will be rw-
[root@linuxnasa]# getfacl resource
# file: resource
# owner: root
# group: root
user::r--
user:nasa:r--
group::rw-
mask::rw-
other::---

 

Default ACL Mask

We assign a default acl to a directory, so that any new directories or files created inside the parent directory will automatically get an acl applied to it. In case of directory the default acl will be applied to both default and access acl. The mask value also will be same as the mask in the default acl of the parent directory.

In case of file, the default acl of the parent directory will be applied as access acl of the file. But as we have seen in acl behavior, if the default acl is having execute access for user. It will not be transferred to the newly created file. Same is the case for mask also. Let us validate all these understanding using below example.

Example-5:

In this example, directory cloud is having read access for user and group (r- – ,r- – ). The ACL for user nasa with read and write access is given (rw-). The default ACL for group docker with read and execute (r-x) is given. Here, for access ACL , the mask will be (rw-), since union of (r- -,r- -) and (rw-) is (rw-). For Default ACL, the mask will be (r-x), since union of (r- -,r- -)  and (r-x) is (r-x).

[root@linuxnasa]# mkdir cloud

#assigning r--,r--
[root@linuxnasa]# chmod 440 cloud/

#assigning rw- via access acl for user
[root@linuxnasa]# setfacl -m u:nasa:rw- cloud/

#assigning r-x via default acl for group 
[root@linuxnasa]# setfacl -m d:g:docker:r-x cloud/

# See cmd output in line for explanation
[root@linuxnasa]# getfacl cloud/
# file: cloud/
# owner: root
# group: root
user::r--
user:nasa:rw-
group::r--

#union of r--,r-- & rw- is rw-; so mask will be rw-
mask::rw-
other::---
default:user::r--
default:group::r--
default:group:docker:r-x

#union of r--,r-- & r-x is r-x; so mask will be r-x
default:mask::r-x
default:other::---

 

Next, create a new directory inside the parent directory where default acl is present. We will observe that  the default acl including mask from the parent directory will be transferred to the newly created directory (access and default). Again, create a file inside the parent directory where default acl is present. We will observe that the default acl including mask from the parent directory will be transferred to the newly created file. But the execute permission of the mask and the user will not be transferred.

Example-6:

[root@linuxnasa]# getfacl cloud/
# file: cloud/
# owner: root
# group: root
user::r--
user:nasa:rw-
group::r--
mask::rw-
other::---
default:user::r--
default:group::r--
default:group:docker:r-x
default:mask::r-x
default:other::---

[root@linuxnasa]# cd cloud/
[root@linuxnasa cloud]# mkdir teams

#default ACL (including mask) is transferred to the new directory
[root@linuxnasa cloud]# getfacl teams
# file: teams
# owner: root
# group: root
user::r--
group::r--
group:docker:r-x
mask::r-x
other::---
default:user::r--
default:group::r--
default:group:docker:r-x
default:mask::r-x
default:other::---

[root@linuxnasa cloud]# touch file1

# Default ACL (including mask) is transferred. But the execute permission of the mask will not be transferred from the default acl
[root@linuxnasa cloud]# getfacl file1
# file: file1
# owner: root
# group: root
user::r--
group::r--
group:docker:r-x #effective:r--
mask::r--
other::---

 

How to Change ACL Masks?

In Linux, there are two ways available to change the ACL mask. These methods are:

Let us understand each method one by one.

 

Using chmod Command

In this method, whenever we change the group permission for a file or directory using chmod command , it directly changes the mask permission. In the below example, I have changed the group permission for file file1 multiple times. Observe how it is changing the mask permission.

Example-7:

[root@linuxnasa]# chmod 760 file1
[root@linuxnasa]# getfacl file1
# file: file1
# owner: root
# group: root
user::rwx
user:nasa:rw-
group::r--
mask::rw-
other::---

[root@linuxnasa]# chmod 740 file1
[root@linuxnasa]# getfacl file1
# file: fle1
# owner: root
# group: root
user::rwx
user:nasa:rw- #effective:r--
group::r--
mask::r--
other::---

[root@linuxnasa]# chmod 700 file1
[root@linuxnasa]# getfacl file1
# file: file1
# owner: root
# group: root
user::rwx
user:nasa:rw- #effective:---
group::r-- #effective:---
mask::---
other::---

 

Using setfacl Command

In this method, we will use setfacl command to override the default mask permission. It follows the syntax

setfacl -m m::<permission> <file/directory>

In the below example, I have changed the mask permission for file “file1” to read, execution (r-x) using setfacl command.

Example-8:

[root@linuxnasa]# setfacl -m m::r-x file1
[root@linuxnasa]# getfacl file1
# file: file1
# owner: root
# group: root
user::rwx
user:nasa:rw- #effective:r--
group::r--
mask::r-x
other::---

 

More Articles

How to Install MariaDB in Linux [5 Easy Steps]
Loop through Array in Javascript [8 Best Ways]

Leave a Comment