Richacls is a Linux implementation of the NFSv4 ACLs which has been extended by file masks to more easily fit the standard POSIX file permission model. Nowadays, they offer the most complex permission model for ext4 file system in Linux operating system. They are even more complex than POSIX ACLs, which means it is not possible to convert back from Richacls to POSIX ACLs without losing information. One of the most important advantages is that they distinguish between write and append permission, between delete and delete child permissions, and make ACL management access discretionary (as opposed to only being only root and the file owner). They are also designed to support Windows interoperability.
Richacls use ext4 extended file attributes (xattrs) to store ACLs. Entries in ACL are called ACE (Access Control List Entry).
There is still no support for Richacls in recent version of official Linux kernel (vanilla sources). Thus in order to get richacl work it is necessary to do one of the following:
To verify whether your system has compatibility for Richacls, in most cases you can simply type the following command to system console:
Once you have running Richacls support on your system, you can enable them up on certain file system. Following example shows how to enable Richacls on root filesystem.
The verification can be done in such way:
and the output should show Richacls enabled:
Richacls can be also enabled permanently by adding richacl parameter to certain mount entry in /etc/fstab.
For manipulation with Richacl entries there is utility called richacl
, which is also available at project homepage. This tool can perform several basic operations for specific file or directory such as:
Format of each ACL entry (ACE) corresponds to <who>:<permission mask>:<flags>:<type>.
Where values of <who> can be:
Values with @ symbol are used to defining permissions for owner, owning group and others.
To define value of <permission mask>, there are 16 permission bits (according to NFSv4 resp. NFSv4.1 specification) but five of them are not implemented. The meaning of each bit is described in the following table.
Always allowed
Always allowed
Set owning group of an object to one of our gid