How to Enable Filesystem ACL Support on FreeBSD Operating System

Learn how to enable and use Access Control Lists (ACLs) on FreeBSD to manage file permissions more effectively.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  3 minute read  

Access Control Lists (ACLs) provide a more fine-grained permission mechanism compared to traditional Unix-style file permissions. FreeBSD, a powerful Unix-like operating system, supports ACLs on certain filesystems such as UFS and ZFS. This guide will walk you through enabling and using ACL support on FreeBSD.

1. Understanding ACLs on FreeBSD

In Unix-like systems, file permissions are traditionally handled using three types of access control: owner, group, and others. While effective, this model can be restrictive in complex access control scenarios. ACLs allow for more detailed permission settings, letting multiple users or groups have different levels of access to a file or directory.

FreeBSD supports POSIX.1e ACLs primarily on the UFS and ZFS filesystems. By default, ACL support is not enabled on UFS and must be explicitly configured.

2. Checking ACL Support on Your System

Before enabling ACLs, check if your filesystem already supports them.

Checking ACL Support on UFS

Use the tunefs command to check if ACLs are enabled on a UFS filesystem:

sudo tunefs -p /dev/ada0p2

If the output includes ACLs: disabled, you need to enable ACL support.

Checking ACL Support on ZFS

For ZFS, ACL support is enabled by default. You can verify it with:

zfs get aclinherit aclmode zroot

If ACLs are disabled, they can be enabled using the zfs command.

3. Enabling ACL Support

Enabling ACLs on UFS

To enable ACL support on a UFS filesystem, follow these steps:

  1. Remount the Filesystem with ACL Support

    First, remount the filesystem with the ACL option:

    sudo mount -o acls /dev/ada0p2 /mnt

  2. Make ACL Support Persistent

    To ensure ACLs remain enabled after a reboot, edit the /etc/fstab file and add acls as an option:

    /dev/ada0p2   /mnt   ufs   rw,acls   1   1

  3. Enable ACLs Permanently Using tunefs

    You can also enable ACLs permanently on the filesystem:

    sudo tunefs -a enable /dev/ada0p2

    Then, remount the filesystem:

    sudo umount /mnt
sudo mount /mnt

Enabling ACLs on ZFS

For ZFS, ACLs are controlled using dataset properties. If ACL support is disabled, enable it with:

sudo zfs set aclinherit=passthrough zroot
sudo zfs set aclmode=passthrough zroot

These commands allow ACLs to be inherited properly.

4. Using ACLs on FreeBSD

Once ACLs are enabled, you can start setting fine-grained permissions using the setfacl and getfacl commands.

Setting ACLs

To grant a user (e.g., john) read and write access to a file:

sudo setfacl -m u:john:rw /path/to/file

To grant a group (e.g., staff) execute permissions:

sudo setfacl -m g:staff:x /path/to/file

Viewing ACLs

To check the ACL entries on a file or directory:

getfacl /path/to/file

Removing ACL Entries

To remove ACL entries for a user:

sudo setfacl -x u:john /path/to/file

To remove all ACLs from a file:

sudo setfacl -b /path/to/file

5. Managing Default ACLs

You can set default ACLs on directories so that new files inherit specific permissions.

For example, to grant read/write access to john for all new files in a directory:

sudo setfacl -d -m u:john:rw /path/to/directory

To view default ACLs:

getfacl /path/to/directory

6. Troubleshooting ACL Issues

ACLs Not Persisting After Reboot

If ACLs do not persist after a reboot, ensure:

  • The filesystem is mounted with the acls option in /etc/fstab.
  • The tunefs ACL setting is enabled for UFS.
  • ZFS ACL properties are correctly set.

Permission Denied Errors

  • Check ACLs using getfacl to confirm expected permissions.
  • Ensure the user has the necessary execute (x) permission for directories.
  • Verify group memberships with id username.

ACL Commands Not Found

If setfacl and getfacl are missing, install the ACL utilities:

sudo pkg install acl

Conclusion

Enabling and using ACLs on FreeBSD enhances security and flexibility in managing file permissions. Whether using UFS or ZFS, ACLs provide a robust way to define access beyond traditional Unix permissions. By following the steps in this guide, you can enable, configure, and manage ACLs effectively on your FreeBSD system.


< Configure Kernel Memory Limits on FreeBSDAudit Kernel Security with `kldstat` on FreeBSD >