Difference between chmod vs ACL
Clash Royale CLAN TAG#URR8PPP
I understand chmod and chown and how the permission bits work, but there is another permission system inside Linux, ACL with setfacl and getfacl, so this makes me wonder.
What's the difference between those two permission control systems? Do they interfere with each other?
linux permissions chmod acl
edited Mar 6 at 10:40
Chaminda Bandara
2841318
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
add a comment |
I understand chmod and chown and how the permission bits work, but there is another permission system inside Linux, ACL with setfacl and getfacl, so this makes me wonder.
What's the difference between those two permission control systems? Do they interfere with each other?
linux permissions chmod acl
edited Mar 6 at 10:40
Chaminda Bandara
2841318
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
add a comment |
I understand chmod and chown and how the permission bits work, but there is another permission system inside Linux, ACL with setfacl and getfacl, so this makes me wonder.
What's the difference between those two permission control systems? Do they interfere with each other?
linux permissions chmod acl
edited Mar 6 at 10:40
Chaminda Bandara
2841318
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
I understand chmod and chown and how the permission bits work, but there is another permission system inside Linux, ACL with setfacl and getfacl, so this makes me wonder.
What's the difference between those two permission control systems? Do they interfere with each other?
linux permissions chmod acl
linux permissions chmod acl
edited Mar 6 at 10:40
Chaminda Bandara
2841318
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
edited Mar 6 at 10:40
Chaminda Bandara
2841318
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
edited Mar 6 at 10:40
Chaminda Bandara
2841318
edited Mar 6 at 10:40
Chaminda Bandara
2841318
edited Mar 6 at 10:40
Chaminda Bandara
2841318
2841318
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
asked May 11 '17 at 22:04
mFeinsteinmFeinstein
183111
183111
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
One is not better than the other, they are just different methods and way of thinking.
You can use both permissions system on the same path without problems.
They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.
Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group.
ACL also allows setting default permissions for new files in a folder.
You can add more permission management on top of both with apparmor or selinux for stricter control.
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
Am I correct in assuming that when I runls -lI am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?
– mFeinstein
May 12 '17 at 0:39
1
@mFeinstein Depends. Under Linux,ls -lputs a+at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.
– Gilles
May 12 '17 at 0:42
Oh great! That+at least stops me from getting myself off guard
– mFeinstein
May 12 '17 at 0:45
add a comment |
The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.
See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.
The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
So in order to truly understand a file's permission I have to check both the ACL andls -l?
– mFeinstein
May 12 '17 at 0:43
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
@mFeinstein See if the permissions displayed bylshave an extra+at the end, or run thegetfaclcommand to display all the permissions including ACL.
– Gilles
May 12 '17 at 0:56
Justgetfacl myFile?
– mFeinstein
May 12 '17 at 0:58
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f364517%2fdifference-between-chmod-vs-acl%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
One is not better than the other, they are just different methods and way of thinking.
You can use both permissions system on the same path without problems.
They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.
Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group.
ACL also allows setting default permissions for new files in a folder.
You can add more permission management on top of both with apparmor or selinux for stricter control.
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
Am I correct in assuming that when I runls -lI am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?
– mFeinstein
May 12 '17 at 0:39
1
@mFeinstein Depends. Under Linux,ls -lputs a+at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.
– Gilles
May 12 '17 at 0:42
Oh great! That+at least stops me from getting myself off guard
– mFeinstein
May 12 '17 at 0:45
add a comment |
One is not better than the other, they are just different methods and way of thinking.
You can use both permissions system on the same path without problems.
They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.
Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group.
ACL also allows setting default permissions for new files in a folder.
You can add more permission management on top of both with apparmor or selinux for stricter control.
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
Am I correct in assuming that when I runls -lI am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?
– mFeinstein
May 12 '17 at 0:39
1
@mFeinstein Depends. Under Linux,ls -lputs a+at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.
– Gilles
May 12 '17 at 0:42
Oh great! That+at least stops me from getting myself off guard
– mFeinstein
May 12 '17 at 0:45
add a comment |
One is not better than the other, they are just different methods and way of thinking.
You can use both permissions system on the same path without problems.
They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.
Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group.
ACL also allows setting default permissions for new files in a folder.
You can add more permission management on top of both with apparmor or selinux for stricter control.
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
One is not better than the other, they are just different methods and way of thinking.
You can use both permissions system on the same path without problems.
They interfere with each other when modifying owner's, owning group and other permissions: when setting current value for these from setfacl, it will actually set the posix permission, not the ACL one.
Posix permissions only allows an owner, owning group and "everyone" permission while ACL allows multiple "owning" users and group.
ACL also allows setting default permissions for new files in a folder.
You can add more permission management on top of both with apparmor or selinux for stricter control.
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
answered May 12 '17 at 0:04
ZulgribZulgrib
355214
355214
Am I correct in assuming that when I runls -lI am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?
– mFeinstein
May 12 '17 at 0:39
1
@mFeinstein Depends. Under Linux,ls -lputs a+at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.
– Gilles
May 12 '17 at 0:42
Oh great! That+at least stops me from getting myself off guard
– mFeinstein
May 12 '17 at 0:45
add a comment |
Am I correct in assuming that when I runls -lI am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?
– mFeinstein
May 12 '17 at 0:39
1
@mFeinstein Depends. Under Linux,ls -lputs a+at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.
– Gilles
May 12 '17 at 0:42
Oh great! That+at least stops me from getting myself off guard
– mFeinstein
May 12 '17 at 0:45
Am I correct in assuming that when I run
ls -l I am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?– mFeinstein
May 12 '17 at 0:39
Am I correct in assuming that when I run
ls -l I am only going to see posix permissions and ACL ones that limit the file further won't be shown? Or will the posix permissions be respected regardless?– mFeinstein
May 12 '17 at 0:39
1
1
@mFeinstein Depends. Under Linux,
ls -l puts a + at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.– Gilles
May 12 '17 at 0:42
@mFeinstein Depends. Under Linux,
ls -l puts a + at the end of the permissions characters to indicate that ACL are present. If ACL are present then the basic permissions do not tell the full story: ACL override POSIX permissions.– Gilles
May 12 '17 at 0:42
Oh great! That
+ at least stops me from getting myself off guard– mFeinstein
May 12 '17 at 0:45
Oh great! That
+ at least stops me from getting myself off guard– mFeinstein
May 12 '17 at 0:45
add a comment |
The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.
See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.
The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
So in order to truly understand a file's permission I have to check both the ACL andls -l?
– mFeinstein
May 12 '17 at 0:43
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
@mFeinstein See if the permissions displayed bylshave an extra+at the end, or run thegetfaclcommand to display all the permissions including ACL.
– Gilles
May 12 '17 at 0:56
Justgetfacl myFile?
– mFeinstein
May 12 '17 at 0:58
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
add a comment |
The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.
See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.
The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
So in order to truly understand a file's permission I have to check both the ACL andls -l?
– mFeinstein
May 12 '17 at 0:43
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
@mFeinstein See if the permissions displayed bylshave an extra+at the end, or run thegetfaclcommand to display all the permissions including ACL.
– Gilles
May 12 '17 at 0:56
Justgetfacl myFile?
– mFeinstein
May 12 '17 at 0:58
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
add a comment |
The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.
See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.
The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
The classic Unix permissions set by chmod (read/write/execute, user/group/other) have existed for a lot longer than ACL. If ACL had existed from the start then there wouldn't be a chmod as we know it. However, since chmod has existed for a very long time, many applications call it, many archive formats support the classic permissions, etc. You can express chmod permissions with ACL; they act as a sort of starting point for the ACL.
See Precedence of user and group owner in file permissions and Precedence of ACLS when a user belongs to multiple groups for a more detailed treatment of how access control works in the presence of ACL.
The chmod command also controls some flags which aren't really permissions, but are often called permissions nonetheless: setuid, setgid and the sticky bit. These aren't really permissions since they don't affect which accesses are authorized on the file, but how certain operations on the file work after they have been authorized. There's nothing like this with ACL.
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
answered May 12 '17 at 0:40
GillesGilles
545k12911071623
545k12911071623
So in order to truly understand a file's permission I have to check both the ACL andls -l?
– mFeinstein
May 12 '17 at 0:43
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
@mFeinstein See if the permissions displayed bylshave an extra+at the end, or run thegetfaclcommand to display all the permissions including ACL.
– Gilles
May 12 '17 at 0:56
Justgetfacl myFile?
– mFeinstein
May 12 '17 at 0:58
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
add a comment |
So in order to truly understand a file's permission I have to check both the ACL andls -l?
– mFeinstein
May 12 '17 at 0:43
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
@mFeinstein See if the permissions displayed bylshave an extra+at the end, or run thegetfaclcommand to display all the permissions including ACL.
– Gilles
May 12 '17 at 0:56
Justgetfacl myFile?
– mFeinstein
May 12 '17 at 0:58
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
So in order to truly understand a file's permission I have to check both the ACL and
ls -l?– mFeinstein
May 12 '17 at 0:43
So in order to truly understand a file's permission I have to check both the ACL and
ls -l?– mFeinstein
May 12 '17 at 0:43
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
Is it there a way to see if there is any ACL specific permissions on a file/directory?
– mFeinstein
May 12 '17 at 0:44
@mFeinstein See if the permissions displayed by
ls have an extra + at the end, or run the getfacl command to display all the permissions including ACL.– Gilles
May 12 '17 at 0:56
@mFeinstein See if the permissions displayed by
ls have an extra + at the end, or run the getfacl command to display all the permissions including ACL.– Gilles
May 12 '17 at 0:56
Just
getfacl myFile?– mFeinstein
May 12 '17 at 0:58
Just
getfacl myFile?– mFeinstein
May 12 '17 at 0:58
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
Yes, getfacl on the path you wish to check.
– Zulgrib
May 13 '17 at 10:03
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f364517%2fdifference-between-chmod-vs-acl%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
