ACL Explained; A Use Case for Data Protection

The advantage of the Access Control List (ACL) over standard Linux file permissions to comply with data protection regulations

Tibor Fabian
Dec 18, 2020 · 4 min read
Photo by AbsolutVision on Unsplash

Compliance with data protection regulations is becoming increasingly important nowadays. In my daily work as a Data Scientist, I‘m experiencing the challenge of how paperwork actually needs to be implemented down to the level of file access control to fulfill regulations such as GDPR.

ACL in Linux is a fine-graded permission control mechanism to access file system entities. It extends the concept of standard file permissions and allows more detailed management of who can do what on different object levels.

Some great data science tools like Dataiku Data Science Studio, with support for multi-user security (a.k.a. user isolation or user impersonation), utilize ACL to implement fine-graded data access permissions. Which is a great feature to comply with the latest data protection requirements in the field of data science.

Standard file permissions

The traditional Linux/Unix file permission control mechanism allows file access customization on the granularity level of owners, groups, and others. As the example below shows, upon file creation — and depending on some system settings — only the owner, ubuntu, and its group (also ubuntu in this case) have read/write access to the content of the file lorem.txt. Everyone else — except root, of course — can only read the content but cannot update it.

ubuntu@host:~$ echo "ipsum" > lorem.txtubuntu@host:~$ ls -l
-rw-rw-r-- 1 ubuntu ubuntu 6 Nov 29 16:39 lorem.txt

The above file permissions -rw-rw-r-- translates from left to right to

  • read/write access for the owner ubuntu
  • read/write access for the group ubuntu
  • read-only access for all others

Everyone can read that file, which may not be our desire from the data protection point of view. The question arises now: How to allow access to the file content for an arbitrary user with appropriate clearance only (e.g., for John Doe)?

To start with standard file access permissions, one needs to forbid access for all others.

ubuntu@host:~$ chmod 740 lorem.txt 
ubuntu@host:~$ ls -l
-rwxr----- 1 ubuntu ubuntu 6 Nov 29 16:39 lorem.txt
john_doe@host:~$ cat /home/ubuntu/lorem.txt
cat: /home/ubuntu/lorem.txt: Permission denied

As we can see now, as long as John Doe is not a member of the group ubuntu and tries to read that file, he gets permission denied. To bring this further with standard file access permissions and grant access for John, one needed to add him to the group ubuntu and give that group write permissions.

Obviously, we just moved from dedicated user access management to group access management, which is considered a good system admin practice but not necessarily the best choice for data protection compliance and auditability

ACL in action — explained simply

ACL offers a much better solution with just a view prerequisites to fulfill, as follows:

  • A file system with ACL support (like Ext4 or XFS) mounted with the acl option activated.
  • The package acl installed (it’s easy, on ubuntu 18.04: apt-get install acl).

The ACL settings can be listed by the command getfacl . If no ACL were set explicitly, getfacl shows the standard file permissions with much better readability than the standard ls -l command.

ubuntu@host:~$ getfacl lorem.txt 
# file: lorem.txt
# owner: ubuntu
# group: ubuntu
user::rwx
group::r--
other::---

We are now very close to achieving our goal and allowing John read/write access to the file content by tailoring the ACL settings individually for him using setfacl. The command below translates as follows: Modify the ACL settings for user john_doe with r/w access for the specified text file.

ubuntu@host:~$ setfacl -m u:john_doe:rw lorem.txt

After the above ACL update John Doe, although still not a member of the group ubuntu, is now able to read or update the file lorem.txt while others are still not allowed, as the output of getfacl clearly shows below.

ubuntu@host:~$ getfacl lorem.txt 
# file: lorem.txt
# owner: ubuntu
# group: ubuntu
user::rwx
user:john_doe:rw-
group::r--
mask::rw-
other::---
john_doe@host:~$ cat /home/ubuntu/lorem.txt
ipsum
john_doe@host:~$ echo "dolor" >> /home/ubuntu/lorem.txt
john_doe@host:~$ cat /home/ubuntu/lorem.txt

ipsum
dolor

Now, if we look at the standard file permissions with ls -l like at the beginning, notice the plus sign at the end of the file permissions block.

ubuntu@host:~$ ls -l
-rw-rw-r--+ 1 ubuntu ubuntu 6 Nov 29 16:40 lorem.txt

That indicates active ACL settings and warns to interpret file permissions differently than without ACL. The mask rw is now printed at the place where normally standard group permissions are shown. This is not to confuse with those permissions, which still allow read-only access for the members of the group ubuntu.

The tool setfacl is quite powerful with many options, as explained in full here.

Conclusion

This article’s main takeaway is that creating a volume mount with ACL support when a Kubernetes pod runs inside Docker Desktop on a Mac could be challenging but possible.

My post “Persistent Volume for Kubernetes w/ ACL Support on Mac” describes a practical use case for ACL.

The Startup

Get smarter at building your thing. Join The Startup’s +794K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Tibor Fabian

Written by

Senior Data Scientist @ Telefonica; Visit my LinkedIn profile: https://de.linkedin.com/in/fabiantibor

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +794K followers.

Tibor Fabian

Written by

Senior Data Scientist @ Telefonica; Visit my LinkedIn profile: https://de.linkedin.com/in/fabiantibor

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +794K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store