Files
setfacl
Set file access control lists (ACLs).
Additional Notes
setfacl sets ACLs (Access Control Lists) on files and directories. ACLs provide finer-grained permissions beyond the traditional Unix owner/group/other model, allowing specific users and groups to be granted or denied access individually.
Each ACL entry specifies a user or group and the permissions (read, write, execute) to grant or deny. Directories can have default ACLs that are inherited by newly created files and subdirectories. The getfacl command displays current ACLs.
Syntax
setfacl [-bkndRLP] {-m|-M|-x|-X ...} file...
Parameters
file: The file or directory to modify.
Common Options
-m,--modify acl: Modify the ACL by adding or changing entries.-x,--remove acl: Remove specific ACL entries.-b,--remove-all: Remove all extended ACL entries (keep base owner/group/other).-k,--remove-default: Remove the default ACL (for directories).--set acl: Replace the entire ACL with the specified entries.-d,--default: Apply operations to the default ACL (for directories).-R,--recursive: Apply ACLs recursively to directories and their contents.-L: Follow symbolic links (used with-R).-P: Do not follow symbolic links (used with-R).-n: Do not recalculate the mask entry.
ACL Entry Format
u[ser]::perms # Owner permissions
u[ser]:username:perms # Specific user permissions
g[roup]::perms # Group permissions
g[roup]:groupname:perms # Specific group permissions
o[ther]::perms # Others permissions
m[ask]::perms # Mask (maximum permissions for named users/groups)
d[efault]:u[ser]:username:perms # Default user ACL (directory only)
Permissions: r, w, x, or combinations like rwx, r-x, rw-.
Examples
setfacl -m u:alice:rwx file.txt
Grant user alice read, write, and execute permissions on file.txt.
setfacl -m g:developers:rw- project/
Grant the developers group read and write access to project/.
setfacl -x u:bob file.txt
Remove any ACL entry for user bob on file.txt.
setfacl -b file.txt
Remove all extended ACL entries from file.txt.
setfacl -R -m u:alice:rx /shared/files
Recursively grant user alice read and execute on /shared/files and all contents.
setfacl -d -m g:developers:rwx shared/
Set a default ACL on shared/ so new files get developers group read/write/execute.
Practical Notes
- The filesystem must be mounted with the
acloption for ACLs to work (default on most modern distributions). - Use
getfaclto view current ACLs on a file. - The
maskentry limits the maximum permissions for named users and groups. - When
ls -lshows a+after the permissions, the file has extended ACLs. - Recursive operations with
-Rcan be slow on large directory trees. - Default ACLs on directories are inherited but do not override explicit permissions on existing files.