Notes on Linux file ACLs
Traditional Unix file permissions only allow you to set permissions at the level of owner, group, or everyone else. If I'm the owner of a file and I want Alice to have read access, Bob to have read-write access, and no access for anyone else, I'm out of luck: file permissions are just not granular enough.
Fortunately, modern Linux kernels support an extension of traditional file permissions, file ACLs, that do allow you to specify granular per-user and per-group permissions.
For instance:
# give bob read-write access to myfile.txt
setfacl --modify u:bob:rw myfile.txt
# set multiple ACLs at once
setfacl -m u:bob:rw,u:alice:r,o::--- myfile.txt
Use getfacl to view the ACLs on a file. (ls -l displays a '+' sign after the file permissions if custom ACLs are set, but doesn't tell you what they are.)
Besides ACLs, you can also use sudo chattr +i PATH to make a file immutable, meaning that the file cannot be renamed, deleted, etc. in addition to be non-writable.
ACLs are a specific case of extended attributes (see man 7 xattr), which is a general way to store key-value data on files. Under the hood, the syscalls are:
ssize_t getxattr(const char* path, const char* name, void* value, size_t size)int setxattr(const char* path, const char* name, const void* value, size_t size, int flags)ssize_t listxattr(const char* path, char* list, size_t size)int removexattr(const char* path, const char* name)
Extended attributes are namespaced, e.g., system.posix_acl_access. You can create arbitrary keys under the user namespace.
See also
Bibliography
man 5 aclman 7 xattrman 1 chattr