Introduction to setfacl and getfacl command
setfacl command in Linux is used to set access control lists (ACLs) of files and directories. ACL helps to create an additional, more flexible permission mechanism for the file system. It allows us to provide permission for any user or group to any disk resource.
Whereas, getfacl command is used to get file access control lists. For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, getfacl also displays the default ACL.
Why use setfacl when we have chmod and chown command?
You must be familiar with chmod and chown command in Linux which are used to manipulate permissions for user and groups on files and directories. So you may wonder, why can't we just use them and why to go through all this article to learn a new command?
Let me give you an example
Your team has 3 users who are part of 3 different groups
amit
user is part offinance
groupdeepak
user is part ofdev
grouprahul
user is part oftest
group
Now there is a common folder /root/secret where we want to provide separate set of permission for each of these users. It is not possible via chown as we can only assign one group as the owner. So either we add all these users into one common group and then given the permission to that group or we think of some other way.
But again adding all these users to single group may not be possible because what if you wanted to provide read only access to user deepak, read and write permission for rahul and amit?
This is where setfacl comes for the rescue. Here we can provide access to individual user and/or group for individual directory and files. So we can just use setfacl for these users and provide requied permission.
Now how to use setfacl is something I will cover in this article using different examples.
Syntax to use setfacl and getfacl command
The general syntax of setfacl and getfacl command is:
$ setfacl option file
AND
$ getfacl [option] file
Different examples to use setfacl and getfacl command
1. getfacl command to display the file access control list
-a
or --access
options display the file access control list of a file or directory.
$ getfacl -a file
OR
$ getfacl --access file
Sample Output:
2. Display the default access control list with getfacl command
You can view the default access control list with -d
or --default
option.
$ getfacl -d file
OR
$ getfacl --default file
Sample Output:
ubuntu@golinux:~$ getfacl -d system.txt # file: system.txt # owner: ubuntu # group: ubuntu
3. getfacl command to list the ACLs of all files and directories recursively (sub-directories)
You can use -R
or --recursive
options to list the ACLs of all files and directories recursively. It is helpful to view the ACLs of a whole directory, including its sub-directories and files.
$ getfacl -R directory
OR
$ getfacl --recursive directory
Sample Output:
4. Display ACLs of files in tabular output with getfacl command
-t
or --tabular
options tell getfacl to use an alternative tabular output format. The ACL and the default ACL are displayed side by side.
$ getfacl -t file
OR
$ getfacl --tabular file
Sample Output:
ubuntu@golinux:~$ getfacl -t system.txt # file: system.txt USER ubuntu rw- GROUP ubuntu rw- other r--
5. getfacl command to omit header
-c
or --omit-header
options are used to hide the output's comment header (the first three lines).
$ getfacl -c file
OR
$ getfacl --omit-header file
Sample Output:
6. List numeric user and group IDs with getfacl command
You can use -n
or --numeric
options to display the numeric user and group IDs in the output.
$ getfacl -n file
OR
$ getfacl --numeric file
Sample Output:
7. Print all effective rights comments with getfacl command
The -e
or --all-effective
options print all effective rights comments, even if identical to the rights defined by the ACL entry.
$ getfacl -e file
OR
$ getfacl --all-effective file
Sample Output:
8. Do not print effective rights comments with getfacl command
The options -E
or --no-effective
can be used to ignore the effective right comments.
$ getfacl -E file
OR
$ getfacl --no-effective file
Sample Output:
9. setfacl command to modify ACLs of file
The -m
or --modify=acl
options modify the current ACL of a file or directory. For example, to give read and write permission to user deepak
:
$ setfacl -m u:deepak:rw file
OR
$ setfacl --modify=u:deepak:rw file
Sample Output:
ACL ENTRIES
The setfacl recognizes the following ACL entry formats:
- [d[efault]:] [u[ser]:]uid [:perms] - Permissions of a named user. Permissions of the file owner if uid is empty.
- [d[efault]:] g[roup]:gid [:perms] - Permissions of a named group. Permissions of the owning group if gid is empty.
- [d[efault]:] m[ask][:] [:perms] - Effective rights mask
- [d[efault]:] o[ther][:] [:perms] - Permissions of others.
Whitespace between delimiter characters and non-delimiter characters is ignored.
10. setfacl command to remove all extended ACL entries
You can remove all extended ACL entries using -b
or --remove-all
option. The base ACL entries of the owner, group, and others are retained.
$ setfacl -b file
OR
$ setfacl --remove-all file
Sample Output:
11. setfacl command to remove entries from the ACL of file
The -x
and --remove=acl
options remove ACL entries from the file. It does not display an error when removing an entry that does not exist.
To remove group 'linux' from a file's ACL, you can use:
$ setfacl -x g:linux file
OR
$ setfacl --remove=g:linux file
Sample Output:
12. setfacl command to remove the default ACL
-k
or --remove-default
options are used to remove the default access control list. If no default ACL exists, no warnings are issued.
$ setfacl -k file
OR
$ setfacl --remove-default file
Sample Output:
ubuntu@golinux:~$ setfacl -k system.txt
13. Apply operations to all files and directories recursively with setfacl command
You need to use -R
or --recursive
option to operate all files and directories recursively.
$ setfacl -m g:linux:rw -R directory
OR
$ setfacl -m g:linux:rw --recursive directory
Sample Output:
14. setfacl command to restore a permission backup
The following command is used to restore a permission backup created by getfacl -R
or similar.
$ setfacl --restore=file
Sample Output:
15. getfacl and setfacl command to copy the ACL of one file to another
You can use the following command to copy the ACL of one file to another with getfacl and setfacl commands.
getfacl file1 | setfacl --set-file=- file2
Sample Output:
Here, we are copying the ACL of system.txt to new.txt.
16. Use setfacl command in test mode
--test
option allows setfacl to run in test mode. The ACLs are not modified in test mode. It only displays the changes that will take place after running the actual command.
$ setfacl --test command
Sample Output:
17. getfacl command to follow symbolic links
-L
or --logical
options are used to follow symbolic links to directories. The default behavior is to follow symbolic link arguments and skip symbolic links encountered in subdirectories. It is only effective in combination with -R
.
$ getfacl -L -R directory
OR
$ getfacl --logical -R directory
Sample Output:
18. getfacl command to not follow symbolic links
-P
or --physical
options do not follow symbolic links to directories. This also skips symbolic link arguments. It is only effective with -R
.
$ getfacl -P -R directory
OR
$ getfacl --physical -R directory
Sample Output:
As we can see, it skips the symbolic link file now.
Conclusion
In this tutorial, we have learned about setfacl and getfacl command in Linux. setfacl command is used to set or modify the ACL of any file or directory, and getfacl command is used to view the ACL of any file or directory.
If you still have any confusion, please let us know in the comment section.
What's Next
5+ nice & renice command examples in Linux [Cheat Sheet]
Further Reading
man page for setfacl command
man page for getfacl command
Trying out example 9 with setfacl, I needed a colon between username and rights (rw) instead of the space. This shows also the setfacl man page.
Worked for me:
setfacl -m u:deepak:rw file
Shown by example:
setfacl -m u:deepak rw file
Thank you for highlighting the typo, updated the article.