How ACL masks can help fine-tune file permissions in Linux

How ACL masks can help fine-tune file permissions in Linux

ACL masks help set the maximum allowed permissions for a file in Linux. HowToGeek explains what they mean and why they’re so important.

Do you use Access Control Lists (ACLs) but don’t know the concept of masks? Let’s take a closer look at what masks are and how they interact with Linux file system permissions.

What are ACL Masks?

ACL masks are a way to ensure that permissions interact with programs and utilities that do not support ACLs. Access control list (ACL) masks provide this compatibility by translating ACL entries into POSIX permissions. When new ACL entries are added, the mask is automatically adjusted to the maximum permissions allowed for all named users or groups.

Let’s take a look at the newly created mysupersecretfile.txt file that we’ll be working with in this article:


Pretty simple permissions for such a sensitive document, right?

Note the dot (.) after the set permissions. This indicates an SELinux context unrelated to ACLs or ACL masks.
For clarity, let’s also check the ACL entries for the file using the getfacl command:

getfacl mysupersecretfile.txt

The current ACL entries for user and group owner entries map directly to the actual POSIX user and group of the file owner. This is normal for any file that does not have extended ACL entries and is called “minimum ACLs”.

Suppose we receive a request to add a user named manager as an ACL entry to this file with read permission. We will do this with the help of a team setfacl. Then let’s explore the new ACL permissions using commands ls and getfacl:

You will now notice a “+” sign next to the permission entries in the ls command, indicating that there are ACL entries associated with the file.

Do you now see the mask line in the output of the command getfacl? This mask entry was assigned automatically. It is necessary; it represents the maximum permissions allowed for any named user or group object (again, excluding user-owner and owner-group objects). Currently, the read permission is equal to the read permission of the existing mask.

Now let’s add another user from the second query, the contractor, to our file’s ACL. However, this time we need to give it read and write permissions. Let’s see how this affects the mask:

Now, in addition to the manager (r) ACL entry, we also see the contractor (rw) entry. But why did mask write change to read and write?

When we added a contractor user with read and write permissions, it affected the ACL mask because the mask refers to the maximum allowed user ACL and group write permissions. Since we added write permissions to the contractor user ACL entry, the mask also gets write permission.

When working with ACLs, you will see that the role of group class permissions (for example, in the output of the ls -l command) is reassigned to display the ACL mask. Don’t worry though, the group owner’s permissions still show up as the “own group” ACL entry.

Note that if you add another user with less permissions, such as read-only, they do not inherit the mask permissions, just as the manager user did not get write permission when we added the contractor user ACL entry.

Previously, ProIT talked about 6 free powerful creative tools for Linux.

The Document Foundation recently announced the general availability of LibreOffice 7.6.3 as the third release in the latest LibreOffice 7.6 series of free and open source office suites.

Subscribe to ProIT on Telegram so you don’t miss a post!

Related posts