Jump directly to main content

Linux Access Control Lists (ACL)

Sometime linux filesystem permissions and ownership can only get you so far, for more complicated, or fine-tuned permissions we'll to use need another method, ACLs.

If you don't know much about linux file permissions I recommend you check my first guide on Linux File Permissions first, as this guide will only be covering the how-to, and not the why.

What are ACLs?

Access Control Lists, ACL for short are essentially a filter that can be set for files and directories to allow/disallow permissions for multiple users and groups without the need to change ownerships.

Install ACL

sudo apt install acl

Create ACL Entries/Permissions

Directory ACL

Like default linux permissions, the same deal applies for u,g,o/rwx. The main difference being that alternate users/groups can be defined by name such as u:username:rw, and g:groupname:x.

setfacl -dm "u:user:rwx" DIRECTORY # New Files
setfacl --recursive -m "u:user:rwx" DIRECTORY # Existing Files

The above will change the permissions for the directory, and any new children created within it to be rwx for the user "user". The second part of the above will then change all existing child files/directories of the directory to those same ACL permissions.

File ACL

Much like directory ACL, except for files. Any standalone files, or those within directories with an ACL set.

setfacl -m "u:user:rwx" FILENAME

View ACL Entries

Sometimes you need to check the permissions, and a ls -l will no longer cut it with ACL in use, so getfacl should be used.

getfacl FILENAME

The above will show something along the lines of:

# file: FILENAME
# owner: root
# group: root
user::rwx
user:user:rwx
group::r-x
mask::rwx
other::r-x

The owner, group, user::, group::, and other::, are self-explanitory as they're basic Linux File Permission bits 'n' bobs.

mask::rwx sets the maximum permissions that can be used for the other user/groups that aren't the owners. So having rwx allows different user/groups to be able to have all permissions.

user:user:rwx shows that the user "user" has rwx permissions for the file.

Remove ACL Entries

If you're don't want the ACLs anymore, you can always remove them for a file/directory. Adding -R to the command will recursively remove ACL from any children too.

setfacl -b FILENAME

Remove ACL entry for a specific user/group

setfacl -x "u:user" FILENAME