Home > Package & System Management > setfacl

setfacl: Setting File Access Control Lists (ACLs)

The `setfacl` command is used to set Access Control Lists (ACLs) for files and directories. It goes beyond the traditional Unix permission model (owner, group, others) by allowing you to grant or revoke fine-grained read, write, and execute permissions for specific users or groups. This enables flexible management of complex permission requirements.

Overview

`setfacl` enables more flexible permission management for file system objects. You can individually grant or revoke read, write, and execute permissions for specific users or groups, and also set default ACLs so that new files or directories automatically inherit ACLs upon creation. This is particularly useful when sophisticated permission management is required in environments shared by multiple users.

Key Features

  • Individual permission settings for specific users/groups
  • Default ACL settings and inheritance
  • Modification and removal of existing ACLs
  • Recursive permission application

Key Options

`setfacl` allows for precise control of ACLs through various options. Here are some of the frequently used key options.

Setting and Modifying ACLs

Removing ACLs

Other

Generated command:

Try combining the commands.

Description:

`setfacl` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Demonstrates various scenarios for managing file and directory ACLs using the `setfacl` command.

Grant Read/Write Permissions to a Specific User

setfacl -m u:user1:rw testfile.txt

Grants read (r) and write (w) permissions to `user1` for the file `testfile.txt`.

Grant Read-Only Permissions to a Specific Group

setfacl -m g:groupA:r shared_dir

Grants read (r) permission to `groupA` for the directory `shared_dir`.

Set Default ACL for a Directory

setfacl -m d:u:user2:rwx project_data

Sets default ACLs for the `project_data` directory so that `user2` has read/write permissions for newly created files and read/write/execute permissions for newly created directories.

Apply ACL Recursively

setfacl -R -m u:user3:r data_archive

Recursively grants read permission to `user3` for the `data_archive` directory and all files and subdirectories within it.

Remove a Specific User's ACL Entry

setfacl -x u:user1 testfile.txt

Removes the ACL entry for `user1` from the `testfile.txt` file.

Remove All Extended ACL Entries

setfacl -b config_dir

Removes all extended ACL entries from the `config_dir` directory (default permissions are retained).

Remove Default ACL Entries

setfacl -k project_data

Removes all set default ACL entries from the `project_data` directory.

Installation

The `setfacl` command is typically part of the `acl` package. It is pre-installed on most Linux distributions, but if you cannot find the command, you can install it using the following commands.

Debian/Ubuntu Based Systems

sudo apt update && sudo apt install acl

Install the `acl` package using the APT package manager.

RHEL/CentOS/Fedora Based Systems

sudo yum install acl
# or
sudo dnf install acl

Install the `acl` package using the YUM or DNF package manager.

Tips & Precautions

Tips and precautions for effectively using `setfacl` and preventing potential issues.

Use with getfacl

After setting ACLs with `setfacl`, it is important to verify the currently set ACLs using the `getfacl <file/directory>` command. This helps confirm that the permissions have been applied as intended.

  • Verification Command: getfacl <file/directory>

Understanding Mask Permissions

ACL entries can include a 'mask' entry. The mask defines the maximum effective permissions that apply to all user and group ACL entries. In other words, if the permissions granted to a specific user or group are higher than the mask permissions, the actual applied permissions will be limited by the mask. The mask can be automatically adjusted when setting ACLs with `setfacl`, so it's advisable to check with `getfacl`.

  • Role: Limits the maximum effective permissions for all user/group ACL entries.
  • Check: Check the 'mask::' part in the `getfacl` output.

Interaction with Default Permissions

Files or directories with ACLs set will have a '+' sign appended to their permission string when viewed with `ls -l`. This indicates that additional ACLs are applied beyond the standard Unix permissions. ACLs complement the default Unix permission model but can sometimes increase complexity, so they should be used with caution.

  • ACL Applied Indicator: A '+' sign at the end of the permission string in `ls -l` output.

Caution with Recursive Application (-R)

Be cautious when applying ACLs recursively using the `-R` option. Especially when used with `-b` (remove all ACLs), it can unintentionally remove ACLs from all sub-files and directories. It is recommended to always check the results first with the `--test` option or to back up important data before applying changes.

  • Recommendation: Pre-check with the `--test` option, back up important data before applying.

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide