In Linux, files and directories have permissions for the owner of the file, the group associated with the file, and other users of the system. But these permissions have limitations as different permissions cannot be configured for different users. For example, you might need to provide read/write access to user A and read-only permission to user B and user C. Therefore, Access Control Lists (ACLs) were implemented. ACL provides a more flexible permission mechanism for the file system.
You can use setfacl command to set access control lists (ACLs) of files and directories and getfacl command to get file access control lists.
For more information : 15+ setfacl & getfacl command examples in Linux [Cheat Sheet]
In this article, you will learn to use chacl command in Linux. chacl command is used to change the access control list (ACL) of a file or directory.
Syntax to use chacl command
The syntax for chacl command is as follows:
chacl [options] acl_entries file...
- acl_entries: A string specifying the ACL entries to set.
- file: The file or directory to which the ACL entries should be applied
Some important options in chacl command are:
-b
: Remove all ACL entries (both access and default).-d
: Remove only default ACL entries.-R
: Apply ACL entries recursively to all files and directories.-D
: Remove the default ACL entries for all files and directories.-r
: Remove the access ACL entries for all files and directories.-l
: List the current ACL entries.-P
: Preserve the permission bits.-p
: Print the current ACL entries in a more human-readable format.
Understanding ACL Entry
An ACL entry specifies the permissions for a user, group, or others and includes:
- Tag Type: Identifies whether the entry is for a user, group, mask, or other.
- Qualifier: Specifies the user or group name (can be omitted for "other" and "mask" entries).
- Permissions: Specifies the set of permissions (read, write, execute).
Each ACL entry has a specific format:
User Entry
- Format:
u:name:perm
oruser:name:perm
- Example:
u:alice:rwx
- Grants read, write, and execute permissions to user Alice.
Group Entry
- Format:
g:name:perm
orgroup:name:perm
- Example:
g:developers:r--
- Grants read-only permission to the group Developers.
Mask Entry
- Format:
m:perm
ormask:perm
- Example:
m:rwx
- Sets the maximum permissions that can be granted to users and groups (excluding the owner).
Other Entry
- Format:
o:perm
orother:perm
- Example:
o:---
- Sets permissions for others (users not covered by the user or group entries).
Default ACL Entries
Default ACL entries apply only to directories and are inherited by new files and subdirectories created within them.
- Default User Entry:
d:u:name:perm
ordefault:user:name:perm
- Default Group Entry:
d:g:name:perm
ordefault:group:name:perm
- Default Mask Entry:
d:m:perm
ordefault:mask:perm
- Default Other Entry:
d:o:perm
ordefault:other:perm
Let's understand more using some practical examples
# Add a read permission for user Alice
setfacl -m u:alice:r file.txt
# Add read and write permissions for group Developers
setfacl -m g:developers:rw file.txt
# Remove all permissions for others
setfacl -m o:: file.txt
# Display the ACL of a file
getfacl file.txt
# Remove the ACL entry for user Alice
setfacl -x u:alice file.txt
1. Change the ACL of a file
You can view the current ACL of a file using the getfacl
command.
The first three lines indicate the file name, owner, and owning group. The file user has rwx
permission, the group has r-x
permisision, and others have r--
permission.
Now, let's change the ACL of a file Employment_Rate.csv
. The following command changes the ACL of a Employment_Rate.csv
, such that the file user will have rw-
access. the group will have r--
access, and others will have ---
access.
$ chacl u::rw-,g::r--,o::--- Employment_Rate.csv
Sample Output:
In the following example, the file user will have rwx
access but the user deepak
will have r--
access only. The filegroup will have r-x
access but the group computer
will have r--
access only.
$ chacl u::rwx,g::r-x,o::r--,u:deepak:r--,g:computer:r--,m::r-x Employment_Rate.csv
Sample Output:
2. Remove the ACL of a file
The -R
option can be used to remove the ACL of a file only.
$ chack -R file
Sample Output:
3. Change the ACL of a directory
You can change the ACL of a directory by specifying the directory instead of a file.
$ chacl u::rw-,g::r--,o::--- directory
Sample Output:
4. Set the default ACL of a directory
You can set the default ACL of a directory using the -d
option.
$ chacl -d u::rwx,g::rw-,o::r-- Documents
Sample Output:
5. Remove the default ACL of a directory
You can remove the default ACL of a directory using the -D
option.
$ chacl -D Documents
Sample Output:
6. List the ACL of a file or directory
You can list the access ACL of a file or directory using the -l
option. It also displays the default ACL of the specified files or directories.
$ chacl -l file
Sample Output:
6. Remove all ACLs of a file or directory
The -B
option removes all ACLs of a file or directory.
$ chacl -B file
7. Set the access ACL recursively
The -r
option changes the access ACL of a directory recursively. It means that the content of the directory will also have the same ACL.
$ chacl -r u::rwx,g::rw-,o::r-- directory
Sample Output:
As you can see, the ACL of a file and sub-directory inside the directory is also changed.
8. Change two ACLs
The -b
option indicates that there are two ACLs to change. The first is the file access ACL and the second is the directory default ACL.
$ chacl -b acl dacl directory
Sample Output:
Conclusion
We hope this tutorial helps you to understand how to change ACLs of a file or directory using the chacl command on Linux. If you have any confusion on the chacl command, please let us know in the comment section below.
What's Next
15+ setfacl & getfacl command examples in Linux [Cheat Sheet]
Know impacts of chmod 777 command [Be Cautious]
Further Reading