10.11 File System Access Control Lists

Contributed by Tom Rhodes.

In conjunction with file system enhancements like snapshots, FreeBSD 5.0 and later offers the security of File System Access Control Lists (ACLs).

Access Control Lists extend the standard UNIX permission model in a highly compatible (POSIX.1e) way. This feature permits an administrator to make use of and take advantage of a more sophisticated security model.

For ACLs to work:

    options UFS_ACL

must be compiled into the kernel. If this option has not been compiled in, a warning message will be displayed when attempting to mount a file system sporting ACLs. ACLs rely on extended attributes being enabled on the file system. This is supported natively in the next generation of the UNIX file system or UFS2.

Note: The use of extended attributes on UFS1 file systems will lead to higher administration overhead and lower overall file system performance. UFS2 does not have this problem.

To enable ACLs on a file system, the -a option can be passed to tunefs(8) in a manner similar to the Soft Updates process:

    # umount /usr
    # tunefs -a enable /dev/diskNsNx
    # mount /dev/diskNsNx /usr

This assumes that /dev/diskNsNx is the /usr partition.

ACLs can also be enabled by passing the -o acls argument to mount(8):

    # mount -o acls /dev/diskNsNx /usr

This flag can also be set in /etc/fstab. It is recommended to use the former over the latter to avoid remount issues with the root file system.

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.