ACLs
ACLs allow us to grant fine-grained permissions to a file. Ordinary file permissions are limited to a file owner, membership of a single group, and others. With ACLs, apart from the standard permissions, we can grant permission flags (r,w,x) to named users and named groups.
Minimum ACL corresponds to the conventional permission bits; Extended ACL must contain mask entry and might contain permissions for named users and named groups.
Figure 1.1 How minimum ACL corresponds to conventional permission bits
Figure 1.2 How extended ACL corresponds to conventional perm. bits
Some file systems need to be mounted with acl option. For example, XFS has acl support enabled by default, while ext4 might need it to be specified in the mount options in /etc/fstab.
ls -l <filename> lists the file contents with long format, but it only shows + sign at the end of permissions to indicate that the file has ACL set.
$ ls -l example1.txt
-rw-rwsr-T**+** 1 alice jack 0 9月 30 05:47 example1.txt
We should interpret this 10-character permission string as:
user - Shows the user ACL settings which are same as the standard user file settings (this means that user file settings are not changed by the mask)
group - If the ACL is set, then these three bits show the current ACL mask settings for the group (yep, they show the value of the mask, really, why?); if extended ACLs are not set, they show the ordinary group permissions for that file. [3]
other
Mask settings show the max permissions possible for all named users, the group-owner and named groups. Mask doesn't affect the user-owner permissions.
If a file has an extended ACL set,chmod g+rwwill only affect the mask, it wouldn't change the group-owner permissions. In order to manipulate group-owner permissions, you should usesetfacl -m g::rwx <file-name>.
When a directory has the execute permission bit set, it means that its contents can be searched.
Sources: