Although the chmod command is powerful enough, it cannot assign permissions more finely, so Linux provides some flexible commands to specify permissions for a particular user or group. Starting from Linux kernel 2.6, we can allocate more granular permissions to users or groups.

Before We Start

Before we begin, we make sure that the system we are using is based on a 2.6 or later kernel:

1

uname -r

Get File ACL

We can use the getfacl command to get an access control list for a file.

Here are some options for getfacl command:

By default, the getfacl command outputs the access control list and the default access control list:

1
2

touch acl_file
getfacl acl_file

File Access Control List

With the -a or ‑‑access parameter, we can view the file’s access control list:

1

getfacl -a acl_file    # This is equivalent to getfacl --access acl_file

File Default Access Control List

With the -d or ‑‑default parameter, we can view the file’s default access control list:

1

getfacl -d acl_file    # This is equivalent to getfacl --default acl_file

Ignore the Comment Header

With the -c or ‑‑omit-header parameter, we can view the file’s access control list without the comment header:

1

getfacl -c acl_file    # This is equivalent to getfacl --omit-header acl_file

All Effective Rights Comments

With the -e or ‑‑all-effective parameter, we can view the file’s all effective rights comments:

1

getfacl -e acl_file    # This is equivalent to getfacl --all-effective acl_file

No Effective Rights Comments

With the -E or ‑‑no-effective parameter, we can view the file’s non effective rights comments:

1

getfacl -E acl_file    # This is equivalent to getfacl --no-effective acl_file

Skip Base ACL Entries

With the -s or ‑‑skip-base parameter, we can skip the file that only has base ACL entries (owner, group, others):

1

getfacl -s acl_file    # This is equivalent to getfacl --skip-base acl_file

All Files and Directories ACLs

We prepare a directory and two files before we begin:

1
2
3

mkdir acl_dir
touch acl_dir/file{1,2}
ll acl_dir

With the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists:

1

getfacl -R acl_dir    # This is equivalent to getfacl --recursive acl_dir

Symbolic Links in Recursion

We prepare a symbolic link:

1
2

ln -s file1 acl_dir/file1_symbolic_link
ll acl_dir

With the -L or ‑‑logical parameter plus the -R or ‑‑recursive parameter, we can view all the files, directories and symbolic links’ access control lists:

1

getfacl -RL acl_dir    # This is equivalent to getfacl --recursive --logical acl_dir

No Symbolic Links in Recursion

With the -P or ‑‑physical parameter plus the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists but not symbolic links’:

1

getfacl -RP acl_dir    # This is equivalent to getfacl --recursive --physical acl_dir

Tabular Format

With the -t or ‑‑tabular parameter, we can view the file or directory’s access control lists side by side:

1

getfacl -t acl_dir    # This is equivalent to getfacl --tabular acl_dir

Plus the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists side by side:

1

getfacl -Rt acl_dir    # This is equivalent to getfacl --recursive --tabular acl_dir

Keep the Leading slash (/)

With the -p or ‑‑absolute-names parameter, we can view the file or directory’s access control lists and keep the leading slash:

1

getfacl -p acl_dir    # This is equivalent to getfacl --absolute-names acl_dir

User and Group IDs

With the -n or ‑‑numeric parameter, we can view the file or directory’s access control lists and its owner and group’s IDs instead of the names:

1

getfacl -n acl_dir    # This is equivalent to getfacl --numeric acl_dir

Set and Remove File ACL

We can use the getfacl command to configure the access control list for a file.

Here are some options for getfacl command:

Set Permissions

With the -m option followed by the {(u|user)|(g|group)|(m|mask)|(o|other)}:{user|group}:{(r|4)|(w|2)|(x|1)} format, we can change a user’s permissions on the file.

Set Permission for a User

With the -m option followed by the (u|user):username:{(r|4)|(w|2)|(x|1)} format, we can change a user’s permissions on the file:

1
2
3
4
5

getfacl acl_dir
useradd acl_user
# u:username:x
setfacl -m u:acl_user:x acl_dir    # This is equivalent to setfacl -m user:acl_user:1 acl_dir
getfacl acl_dir

Set Permission for a Group

1
2
3
4
5

getfacl acl_dir
groupadd acl_group
# g:groupname:x
setfacl -m g:acl_group:x acl_dir    # This is equivalent to setfacl -m group:acl_group:1 acl_dir
getfacl acl_dir

Set Other Permission

1
2
3
4

getfacl acl_dir
# m:x
setfacl -m o:x acl_dir    # This is equivalent to setfacl -m other:1 acl_dir
getfacl acl_dir

Set Mask Permission

1
2
3
4

getfacl acl_dir
# m:x
setfacl -m m:rwx acl_dir    # This is equivalent to setfacl -m mask:7 acl_dir
getfacl acl_dir

Clone ACL Between Files and Directories

1
2
3
4

mkdir acl_dir2
getfacl acl_dir2
getfacl acl_dir | setfacl --set-file=- acl_dir2 
getfacl acl_dir2

Set Default Permissions

1
2
3

getfacl acl_dir2
setfacl -m d:u:acl_user:rwx acl_dir2    # This is equivalent to setfacl -m default:acl_user:7 acl_dir
getfacl acl_dir2

Remove Extended ACLs

Remove a Specific User or Group ACL

We can remove the acl of a user or group by replacing the -m parameter with the -x parameter:

1
2
3

getfacl acl_dir2
setfacl -x g:acl_group acl_dir2
getfacl acl_dir2

Remove All ACLs

1
2
3

getfacl acl_dir2
setfacl -b acl_dir2
getfacl acl_dir2

References POSIX ACLs in Linux GETFACL(1), SETFACL(1)

Buy me a coffee