The Complete FreeBSD (4th Edition): File systems and devices Sub section: Access Control Lists --------------------------------- Access Control Lists (ACLs) provide a more fine grained and standards (POSIX 1.e) friendly approach to permissions than the traditional UNIX file permission model. It lets an administrator employ more sophisticated security models. In ACLs, the three types of users, i.e. 'owner' 'group' 'other' are represented as entries and additional entries can be added to control access to specific users or groups. To enable ACL support in the next generation UNIX file system (UFS2), you need to add 'options UFS_ACL' to your kernel configuration file, although it's enabled by default in the GENERIC kernel. ACLs require 'extended attributes' support which is also available in UFS2. It must be noted that a higher level configuration and system overhead is required in order to use extended attributes in UFS1, thus we do not discuss UFS1 ACL configuration in this section, and the relevant FreeBSD manual pages should be consulted. Henceforth, UFS2 is preffered for the use of ACLs, as it also provides better overall file system performance. There are two ways to enable UFS ACLs. You can either use the mount option, 'acls' which can be added to the /etc/fstab configuration file, or set it persistently in the superblock with aid of the tunefs(8) utility. To disable mount time ACLs, you need to do a full unmount of the file system in question, i.e. remount(8) cannot be used, i.e. ACLs cannot be disabled on a root filesystem without a total system restart. It is preffered that users utilize the tunefs(8) utility to enable ACL functionality. This will prevent accidents from happening, such as mounting a file system without ACLs enabled which can lead to security problems. Disabling ACLs is not recommended as re-enabling them can result in unpredictable behavior. A typical 'ls -l' output of a file system with ACLs enabled: drwxrwx---+ 2 hiten hiten 512 Jan 24 10:57 ukug drwxrwx---+ 2 hiten hiten 512 Sep 30 10:20 mgetcl drwxrwx---+ 2 hiten hiten 512 Sep 12 11:57 bio drwxr-xr-x 2 hiten hiten 512 Sep 10 11:54 www The directories with ACLs enabled can be noticed by the '+' (plus) symbol next to their permission modes. All directories except for 'www' are taking advantage of ACLs. To retrieve access control information of a file or directory, you can use the getfacl(1) command: hiten@unixguru:~> getfacl hiten-unixdaemons-20030321.tar.bz2 #file:hiten-unixdaemons-20030321.tar.bz2 #owner:1007 #group:1007 user::rw- group::r-- other::r-- The setfacl(1) command is used to for modifying access control information of a file or directory. The below output shows how to grant read/write permission to the user 'grog': hiten@unixguru:~> setfacl -m u:grog:rw hiten-unixdaemons-20030321.tar.bz2 hiten@unixguru:~> getfacl hiten-unixdaemons-20030321.tar.bz2 # file: hiten-unixdaemons-20030321.tar.bz2 # owner: 1007 # group: 1007 user::rw- user:grog:rw- group::r-- mask:rw- other:r-- More information about setfacl(1) or getfacl(1) can be found in their manual pages or in the FreeBSD Handbook. The Access Control List functionality in FreeBSD is standards compliant with POSIX 1.e.