ACL vs standard file permissions - which are used when accessing file?

linux file-permissions acl

ACLs and standard file permissions seem to be synchronized:

$ getfacl test.cpp
# file: test.cpp
# owner: scdmb
# group: scdmb
user::rw-
group::rw-
other::r--

$ ls -l test.cpp
-rw-rw-r-- 2 scdmb scdmb 173 Jan  1  1970 test.cpp

However as I've read there are two locations in inode to save file permissions (i_mode field) and these extended file attributes where ACLs are placed. So when I access file then which file permissions are used - standard or ACLs? Or maybe this is the same thing presented in different ways?


From the getfacl manpage:

The output format of getfacl is as follows:

           1:  # file: somedir/
           2:  # owner: lisa
           3:  # group: staff
           4:  user::rwx
           5:  user:joe:rwx               #effective:r-x
           6:  group::rwx                 #effective:r-x
           7:  group:cool:r-x
           8:  mask:r-x
           9:  other:r-x
          10:  default:user::rwx
          11:  default:user:joe:rwx       #effective:r-x
          12:  default:group::r-x
          13:  default:mask:r-x
          14:  default:other:---

Lines 4, 6 and 9 correspond to the user, group and other fields of the file mode permission bits. These three are called the base ACL entries. Lines 5 and 7 are named user and named group entries. Line 8 is the effective rights mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others permis- sions are not affected by the effective rights mask; all other entries are.) Lines 10--14 display the default ACL associated with this direc- tory. Directories may have a default ACL. Regular files never have a default ACL.

The fact that yours shows lines only with :: and not <user|group|other>:<name>:<perms> indicates that you have no extended ACLs. For this particular file, you are just using getfacl as a fancy way of obtaining the same info as would show in ls -la (the user/group/other permission bits aka the "base ACL".)

As for which permissions are used: the short answer is it depends on the order of the ACLs. See here and here for details. In general, if a deny comes first in the ACL list, it is impossible to later on give the permission back with an explicit allow. Denies always take precedence.

There's an even longer article with more references here on Unix.SE.

Related

Where in CentOS does program start at boot if it's not in init.d?
From where do I get a reply if I ping broadcast address 255.255.255.255 from a router
Fonts and different glyphs
Word count for markdown?
Chrome is "glitching", on my Mac, is this a known issue?
Change default Windows Explorer file browser size and position
Installing Ruby with RVM in Ubuntu 14.04
Vundle - Plugins installed but not loading
brew install gcc /Mac OS 10.9 Mavericks
How can I cause vim to copy text to GNU screen's clipboard buffer?
How to extend the primary partition for Ubuntu Server running in VMWare Player
Computer hard freezes randomly - possible hardware issue