Practice Use drills for recall and labs for real operating judgment.

LAB-PERM-06 - Access Control Lists (ACLs)

Understand when ACLs solve a real access problem and practice reading and adding a simple ACL entry without turning the file into a mystery.

ACL Permission Management

Access Control Lists (ACLs)

Understand when ACLs solve a real access problem and practice reading and adding a simple ACL entry without turning the file into a mystery.

30 min ADVANCED LINUX Curriculum-reviewed
Prerequisites
Lab LAB-PERM-02 - UGO and the chmod Command Lab LAB-PERM-04 - Ownership and chown
Success criteria
  • Explain why ACLs exist beyond owner, group, and other.
  • Read a simple ACL entry with getfacl and add one with setfacl.
Safety notes
  • Use ACLs on disposable files while learning so you can remove them cleanly and verify the effect.

Part A: The Field Guide

The normal owner-group-other model is simple, but sometimes it is not expressive enough.

ACLs help when you need an extra rule such as:

  • one specific additional user may read a file
  • one specific group needs access without becoming the main file group

That makes ACLs useful, but also easier to forget. A file can look ordinary until you notice the + in ls -l.

Practical Rule

Use ACLs when they solve a specific access problem cleanly. Do not pile on extra ACL entries when an ordinary owner and group model would already be clear enough.

The two core commands

  • getfacl reads the ACL
  • setfacl changes the ACL

Part B: The Drill Deck

Terminal required: keep this lab in a sandbox and use a known local user or group if ACL tools are installed on your system.

G
Guided Step by step - type exactly this and compare the result
>

Exercise G1: Create a sandbox file

Create a practice file

mkdir -p ~/acl_lab cd ~/acl_lab touch vault.txt ls -l vault.txt

Exercise G2: Add one ACL entry

  1. Choose a known local user such as root if appropriate on your system
  2. Run setfacl -m u:root:r vault.txt
  3. Run ls -l vault.txt
  4. Notice the + at the end of the permission string

Exercise G3: Read the ACL

  1. Run getfacl vault.txt
  2. Find the normal owner and group entries
  3. Find the extra user entry you added
  4. Remove it again with setfacl -x u:root vault.txt
  5. Confirm the + disappears after removal
S
Solo Task described, hints available - figure it out
>

Exercise S1: Explain the plus sign

In your own words, explain what the + in ls -l tells you and why checking only the rwx string may no longer be enough.

Exercise S2: ACL versus extra group

Describe one case where creating a whole new group may be overkill, and one ACL entry could be a cleaner short-term solution.

M
Mission Real scenario - no hints, combine multiple skills
>

Mission M1: Add and remove one temporary exception

In the sandbox:

  1. add one extra read-only ACL for a known user or group
  2. verify it with getfacl
  3. remove the extra entry
  4. verify that the file has returned to a simpler state

If you can do that cleanly, you understand the core value of ACLs without turning the file into a permission maze.