Well, I have seem them some 20 years ago in AIX. Access control lists (ACLs) for Unix/Linux files. At least they existed, but I have never seen them used. I have used Linux for quite some while and it has never appeared to me that they actually exist and are even used.
Normally access to a file is only granted in 3 levels: One for the owner, the second one for one group of users and the third one for everything else (“world”)
With ACLs you can give individual rights to many different users, not only to the owner. And you can give individual rights to many groups, not only one.
So how do you know an ACL is used?
$ ls -l /dev/dri/card0
crw-rw----+ 1 root video 226, 0 2011-01-07 21:25 /dev/dri/card0
There are 1 + 3 + 3 + 3 + 1 + 1 = 12 characters at the beginning of each listing.
- The first one is the file type
- Then there are 3 * 3 characters for owner’s, group’s and world’s access rights.
- number 11 is the sticky bit
- number 12 is a space in most cases, so I have never noticed it before. However if it’s not a space but a plus sign, the access rights are controlled by an ACL.
So how can you check the contents of the ACL? Interestingly enough although the Linux kernel supports ACLs, my Linux distro (Kubuntu) doesn’t seem to contain any user space tool to display them.
Well, that’s not a problem, the tool is easily installed.
$ sudo apt-get install acl
Using the following command you can check, which of your files actually have an explicit ACL:
$ sudo getfacl -R -s /
In my system the list is short. Just a couple of devices related to sound and the graphics adapter. So although these devices are owned by root, the currently logged in user gets rights to use these devices. Without ACL this would be not really be possible. If you wanted to still have them owned by root, then you would need to make them accessible to a whole group or even world.
So nothing dramatic here. Just interesting to see how things work.
If you want to know more, read the man page acl(5). (It comes with the installation above)