setfacl
Set, modify, and remove Access Control Lists (ACLs) for files and directories
Syntax
setfacl [options] [acl_spec] file...
Basic Usage
Add ACL entry for a user
setfacl -m u:username:rwx filename
Gives read, write, and execute permissions to the specified user.
Add ACL entry for a group
setfacl -m g:groupname:rw filename
Remove ACL entry
setfacl -x u:username filename
Set ACL from file
setfacl --set-file=acl_file target_file
Common Options
-m, --modify: Modify ACL entries-x, --remove: Remove ACL entries-b, --remove-all: Remove all ACL entries-k, --remove-default: Remove default ACL entries-d, --default: Apply to default ACL-R, --recursive: Apply recursively to directories-M, --modify-file: Read ACL entries from file-X, --remove-file: Read ACL entries to remove from file-n, --no-mask: Don't recalculate effective rights mask--mask: Do recalculate effective rights mask-v, --version: Print version and exit-h, --help: Print help and exit
ACL Entry Format
ACL Entry Types
- u:username:permissions: User ACL entry
- g:groupname:permissions: Group ACL entry
- o::permissions: Other ACL entry
- m::permissions: Mask entry (effective rights)
Practical Examples
Give user read and write access
setfacl -m u:john:rw document.txt
Give group read access
setfacl -m g:developers:r source.c
Set default ACL for directory
setfacl -d -m u:john:rwx /shared/directory
Remove all ACLs from file
setfacl -b filename
Apply ACLs recursively
setfacl -R -m u:john:rw /project/
Set multiple ACL entries at once
setfacl -m u:john:rw,g:team:r,o::r file.txt
Create ACL file and apply it
echo "u:john:rw" > acl.txtecho "g:developers:r" >> acl.txtsetfacl -M acl.txt target_file
Understanding ACLs
ACL vs Traditional Permissions
- Traditional: owner, group, others (3 sets of permissions)
- ACLs: Multiple users and groups with specific permissions
- Flexibility: ACLs provide fine-grained access control
- Compatibility: ACLs work alongside traditional permissions
Best Practices
When to Use
- Sharing files with specific users or groups
- Complex permission requirements
- Collaborative project directories
- Web server file access control
- Database file permissions
Important Notes
- Filesystem must support ACLs (ext3, ext4, XFS, etc.)
- ACLs are mounted with acl option
- Use getfacl to verify ACL settings
- Default ACLs only apply to directories
- Mask entry limits effective permissions
- ACLs can be complex to manage in large environments