Access Control Lists – part 1 –

Access Control List (ACL) in Linux provides an additional level of security. Traditionally we have the owner, the group and the other users permissions on a given resource; but what about giving the same owner permissions to an additional user?
Normally this is done by adding the user to the group set on that file or folder or giving more permissions to all other users; of course the second choice is not recommended for security reasons.

ACL answers precisely this need, giving additional privileges to specific users, without adding them to the same owner group which would grant also privileges to other resources. And again without giving more permissions to other.

So an Access Control List allows a system administrator a more granular control over users permissions than the classic ALL or NOTHING approach.

Some usage examples:

1) We want an application to write to a user subfolder, but without adding the application user id to the user group or setting other permissions.

2) A team needs to copy some data to a root home subfolder and we don`t want to add them to the root group or worse give them the root password.

3) There are several users belonging to a group and work on a common folder; however we want a specific subfolder in it to be writable and executable only by a specific user, not by all users in that group.

4) We have a database folder containing personal data and here we want to grant read and executable permissions to someone in the application team, but revoke all permissions for other . Also we want to decouple the application functional ID privileges from the user privileges; that means we won`t add the user to the same group as the application.
Then we will add a further ACL for a user in the application team with full permissions to the same resources.

In the above examples we can also make use of groups, as with ACL we can grant additional groups permissions as well.