Although the chmod command is powerful enough, it cannot assign permissions more finely, so Linux provides some flexible commands to specify permissions for a particular user or group. Starting from Linux kernel 2.6, we can allocate more granular permissions to users or groups.

Before We Start

Before we begin, we make sure that the system we are using is based on a 2.6 or later kernel:

1
uname -r
img

The system we are using is based on the kernel 3.10, so we can use the acl commands

Get File ACL

We can use the getfacl command to get an access control list for a file.

Here are some options for getfacl command:

Option Meaning
-a or ‑‑access Output all ACLs.
-d or ‑‑default Output default ACLs.
-c or ‑‑omit-header Output ACLs without the comment header.
-e or ‑‑all-effective Output all effective right comments.
-E or ‑‑no-effective Output non effective right comments.
-s or ‑‑skip-base Skip all files or directories’ ACLs that only contain basic ACL entries.
-R or ‑‑recursive Output all the files and directories’ ACLs recursively.
-L or ‑‑logical Output all the files, directories and symbolic links’ ACLs recursively, so must be using with -R.
-P or ‑‑physical Output all the files and directories’ ACLs recursively except the symbolic links’, so must be using with -R.
-t or ‑‑tabular Output the file or directory’s ACL in tabular format.
-p or ‑‑absolute-names Keep the leading slash(/) of a path.
-n or ‑‑numeric Output the owner and group IDs instead of the names.

By default, the getfacl command outputs the access control list and the default access control list:

1
2
touch acl_file
getfacl acl_file
img

Output access control list information for the newly created file

File Access Control List

With the -a or ‑‑access parameter, we can view the file’s access control list:

1
getfacl -a acl_file    # This is equivalent to getfacl --access acl_file
img

Output the file's access control list

File Default Access Control List

With the -d or ‑‑default parameter, we can view the file’s default access control list:

1
getfacl -d acl_file    # This is equivalent to getfacl --default acl_file
img

Output the file's default access control list

Ignore the Comment Header

With the -c or ‑‑omit-header parameter, we can view the file’s access control list without the comment header:

1
getfacl -c acl_file    # This is equivalent to getfacl --omit-header acl_file
img

Output the file's access control list without the comment header

All Effective Rights Comments

With the -e or ‑‑all-effective parameter, we can view the file’s all effective rights comments:

1
getfacl -e acl_file    # This is equivalent to getfacl --all-effective acl_file
img

Output the file's all effective comments

No Effective Rights Comments

With the -E or ‑‑no-effective parameter, we can view the file’s non effective rights comments:

1
getfacl -E acl_file    # This is equivalent to getfacl --no-effective acl_file
img

Output the file's non effective comments

Skip Base ACL Entries

With the -s or ‑‑skip-base parameter, we can skip the file that only has base ACL entries (owner, group, others):

1
getfacl -s acl_file    # This is equivalent to getfacl --skip-base acl_file
img

Skip the file that only has the base ACL entries

All Files and Directories ACLs

We prepare a directory and two files before we begin:

1
2
3
mkdir acl_dir
touch acl_dir/file{1,2}
ll acl_dir
img

Prepare one directory and two files

With the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists:

1
getfacl -R acl_dir    # This is equivalent to getfacl --recursive acl_dir
img

View all the files and directories' access control lists

We prepare a symbolic link:

1
2
ln -s file1 acl_dir/file1_symbolic_link
ll acl_dir
img

Prepare one directory and two files

With the -L or ‑‑logical parameter plus the -R or ‑‑recursive parameter, we can view all the files, directories and symbolic links’ access control lists:

1
getfacl -RL acl_dir    # This is equivalent to getfacl --recursive --logical acl_dir
img

View all the files, directories and symbolic links' access control lists

With the -P or ‑‑physical parameter plus the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists but not symbolic links’:

1
getfacl -RP acl_dir    # This is equivalent to getfacl --recursive --physical acl_dir
img

View all the files and directories' access control lists but not symbolic links'

Tabular Format

With the -t or ‑‑tabular parameter, we can view the file or directory’s access control lists side by side:

1
getfacl -t acl_dir    # This is equivalent to getfacl --tabular acl_dir
img

View the directory's access control lists side by side

Plus the -R or ‑‑recursive parameter, we can view all the files and directories’ access control lists side by side:

1
getfacl -Rt acl_dir    # This is equivalent to getfacl --recursive --tabular acl_dir
img

View all the files and directories' access control lists side by side

Keep the Leading slash (/)

With the -p or ‑‑absolute-names parameter, we can view the file or directory’s access control lists and keep the leading slash:

1
getfacl -p acl_dir    # This is equivalent to getfacl --absolute-names acl_dir
img

View the directory's access control lists and keep the leading slash

User and Group IDs

With the -n or ‑‑numeric parameter, we can view the file or directory’s access control lists and its owner and group’s IDs instead of the names:

1
getfacl -n acl_dir    # This is equivalent to getfacl --numeric acl_dir
img

View the directory's access control lists and its owner and group's IDs

Set and Remove File ACL

We can use the getfacl command to configure the access control list for a file.

Here are some options for getfacl command:

Option Meaning
‑‑set or ‑‑set-file Replace an existing ACL of a file or directory with the specified ACL.
-m or ‑‑modify or -M ‑‑modify-file Change the ACL of a file or directory. Can’t be use with -x.
-x or ‑‑remove or -X or ‑‑remove-file Delete the ACL of a file or directory. Can’t be use with -m
-b or ‑‑remove-all
-k or ‑‑remove-default
-n or ‑‑no-mask
‑‑mask
-d or ‑‑default
‑‑restore=file Must be using individually or with ‑‑test
‑‑test
-R or ‑‑recursive
-L or ‑‑logical
-P or ‑‑physical

Set Permissions

With the -m option followed by the {(u|user)|(g|group)|(m|mask)|(o|other)}:{user|group}:{(r|4)|(w|2)|(x|1)} format, we can change a user’s permissions on the file.

Set Permission for a User

With the -m option followed by the (u|user):username:{(r|4)|(w|2)|(x|1)} format, we can change a user’s permissions on the file:

1
2
3
4
5
getfacl acl_dir
useradd acl_user
# u:username:x
setfacl -m u:acl_user:x acl_dir    # This is equivalent to setfacl -m user:acl_user:1 acl_dir
getfacl acl_dir
img

View the directory's access control lists before and after the creation and permission allocation of the user acl_user

Set Permission for a Group

1
2
3
4
5
getfacl acl_dir
groupadd acl_group
# g:groupname:x
setfacl -m g:acl_group:x acl_dir    # This is equivalent to setfacl -m group:acl_group:1 acl_dir
getfacl acl_dir
img

View the directory's access control lists before and after the creation and permission allocation of the group acl_group

Set Other Permission

1
2
3
4
getfacl acl_dir
# m:x
setfacl -m o:x acl_dir    # This is equivalent to setfacl -m other:1 acl_dir
getfacl acl_dir
img

View the directory's access control lists before and after the permission allocation of others

Set Mask Permission

1
2
3
4
getfacl acl_dir
# m:x
setfacl -m m:rwx acl_dir    # This is equivalent to setfacl -m mask:7 acl_dir
getfacl acl_dir
img

View the directory's access control lists before and after the permission allocation of the mask

Clone ACL Between Files and Directories

1
2
3
4
mkdir acl_dir2
getfacl acl_dir2
getfacl acl_dir | setfacl --set-file=- acl_dir2 
getfacl acl_dir2
img

View the directory's access control lists before and after the colonization of ACLs from another directory

Set Default Permissions

1
2
3
getfacl acl_dir2
setfacl -m d:u:acl_user:rwx acl_dir2    # This is equivalent to setfacl -m default:acl_user:7 acl_dir
getfacl acl_dir2
img

View the directory's access control lists before and after the permission allocation of user acl_user's default

Remove Extended ACLs

Remove a Specific User or Group ACL

We can remove the acl of a user or group by replacing the -m parameter with the -x parameter:

1
2
3
getfacl acl_dir2
setfacl -x g:acl_group acl_dir2
getfacl acl_dir2
img

View the directory's access control lists before and after the removing of the group acl_group's ACL

Remove All ACLs

1
2
3
getfacl acl_dir2
setfacl -b acl_dir2
getfacl acl_dir2
img

View the directory's access control lists before and after the removing of all the ACLs

References POSIX ACLs in Linux GETFACL(1), SETFACL(1)

Buy me a coffeeBuy me a coffee