Setting Filesystem ACLs on Linux

December 30, 2019

ACLs are a method for defining access to files and directories on a system.

These can be set at the user level, group level, or via the effective rights mask.

The commands getfacl and setfacl are used to get and change ACL permissions respectively. If you are setting for a specific user then the text form of the attribute is user:username:rwx. If you want the permission to apply to the default user (or group) then you would use the text term user::rwx

To check the status of any extended Access Control Lists:

getfacl filename

To update a file access control list, you would use:

setfacl -m u:lisa:r filename

This would give the user lisa read access to the file.

Where a user is specified, this can also be done for a group:

setfacl -m g:wheel:r filename

To remove access from a file:

setfacl -x filename

Note that this will remove all extended permissions from that file.

To remove just one access control use the - character:

setfacl -m u:lisa:r-x filename

By adding an -R flag, an ACL is applied recursively (i.e. to directories and files below the path specified).

setfacl -R -m u:lisa:rwx directory_name

This will provide read, write and execute to the directory directory_name and any files within that directory.