15+ setfacl & getfacl command examples in Linux [Cheat Sheet]

Introduction to setfacl and getfacl command

setfacl command in Linux is used to set access control lists (ACLs) of files and directories. ACL helps to create an additional, more flexible permission mechanism for the file system. It allows us to provide permission for any user or group to any disk resource.

Whereas, getfacl command is used to get file access control lists. For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, getfacl also displays the default ACL.

Advertisement

 

Why use setfacl when we have chmod and chown command?

You must be familiar with chmod and chown command in Linux which are used to manipulate permissions for user and groups on files and directories. So you may wonder, why can't we just use them and why to go through all this article to learn a new command?

Let me give you an example

Your team has 3 users who are part of 3 different groups

  • amit user is part of finance group
  • deepak user is part of dev group
  • rahul user is part of test group

Now there is a common folder /root/secret where we want to provide separate set of permission for each of these users. It is not possible via chown as we can only assign one group as the owner. So either we add all these users into one common group and then given the permission to that group or we think of some other way.

But again adding all these users to single group may not be possible because what if you wanted to provide read only access to user deepak, read and write permission for rahul and amit?

This is where setfacl comes for the rescue. Here we can provide access to individual user and/or group for individual directory and files. So we can just use setfacl for these users and provide requied permission.

Advertisement

Now how to use setfacl is something I will cover in this article using different examples.

 

Syntax to use setfacl and getfacl command

The general syntax of setfacl and getfacl command is:

$ setfacl option file

AND

$ getfacl [option] file

 

Different examples to use setfacl and getfacl command

1. getfacl command to display the file access control list

-a or --access options display the file access control list of a file or directory.

$ getfacl -a file

OR

$ getfacl --access file

Sample Output:

getfacl command to display the access control list

 

2. Display the default access control list with getfacl command

You can view the default access control list with -d or --default option.

$ getfacl -d file

OR

Advertisement
$ getfacl --default file

Sample Output:

ubuntu@golinux:~$ getfacl -d system.txt
# file: system.txt
# owner: ubuntu
# group: ubuntu

 

3. getfacl command to list the ACLs of all files and directories recursively (sub-directories)

You can use -R or --recursive options to list the ACLs of all files and directories recursively. It is helpful to view the ACLs of a whole directory, including its sub-directories and files.

$ getfacl -R directory

OR

$ getfacl --recursive directory

Sample Output:

getfacl command to list the ACLs of all files and directories recursively

 

4. Display ACLs of files in tabular output with getfacl command

-t or --tabular options tell getfacl to use an alternative tabular output format. The ACL and the default ACL are displayed side by side.

$ getfacl -t file

OR

$ getfacl --tabular file

Sample Output:

ubuntu@golinux:~$ getfacl -t system.txt
# file: system.txt
USER   ubuntu    rw-     
GROUP  ubuntu    rw-     
other            r--  

 

5. getfacl command to omit header

-c or --omit-header options are used to hide the output's comment header (the first three lines).

$ getfacl -c file

OR

$ getfacl --omit-header file

Sample Output:

getfacl command to not display the comment header

 

6. List numeric user and group IDs with getfacl command

You can use -n or --numeric options to display the numeric user and group IDs in the output.

$ getfacl -n file

OR

$ getfacl --numeric file

Sample Output:

getfacl command to display numeric user and group IDs

 

7. Print all effective rights comments with getfacl command

The -e or --all-effective options print all effective rights comments, even if identical to the rights defined by the ACL entry.

$ getfacl -e file

OR

$ getfacl --all-effective file

Sample Output:

getfacl command to print all effective right comments

8. Do not print effective rights comments with getfacl command

The options -E or --no-effective can be used to ignore the effective right comments.

$ getfacl -E file

OR

$ getfacl --no-effective file

Sample Output:

getfacl command to not print effective right comments

 

9. setfacl command to modify ACLs of file

The -m or --modify=acl options modify the current ACL of a file or directory. For example, to give read and write permission to user deepak:

$ setfacl -m u:deepak rw file

OR

$ setfacl --modify=u:deepak rw file

Sample Output:

setfacl command to modify ACL of file

ACL ENTRIES

The setfacl recognizes the following ACL entry formats:

  • [d[efault]:] [u[ser]:]uid [:perms] - Permissions of a named user. Permissions of the file owner if uid is empty.
  • [d[efault]:] g[roup]:gid [:perms] - Permissions of a named group. Permissions of the owning group if gid is empty.
  • [d[efault]:] m[ask][:] [:perms] - Effective rights mask
  • [d[efault]:] o[ther][:] [:perms] - Permissions of others.

Whitespace between delimiter characters and non-delimiter characters is ignored.

 

10. setfacl command to remove all extended ACL entries

You can remove all extended ACL entries using -b or --remove-all option.  The base ACL entries of the owner, group, and others are retained.

$ setfacl -b file

OR

$ setfacl --remove-all file

Sample Output:

setfacl command to remove all extended ACL entries

 

11. setfacl command to remove entries from the ACL of file

The -x and --remove=acl options remove ACL entries from the file. It does not display an error when removing an entry that does not exist.

To remove group 'linux' from a file's ACL, you can use:

$ setfacl -x g:linux file

OR

$ setfacl --remove=g:linux file

Sample Output:

setfacl command to remove entries from the ACL(s) of file(s)

 

12. setfacl command to remove the default ACL

-k or --remove-default options are used to remove the default access control list. If no default ACL exists, no warnings are issued.

$ setfacl -k file

OR

$ setfacl --remove-default file

Sample Output:

ubuntu@golinux:~$ setfacl -k system.txt

 

13. Apply operations to all files and directories recursively with setfacl command

You need to use -R or --recursive option to operate all files and directories recursively.

$ setfacl -m g:linux:rw -R directory

OR

$ setfacl -m g:linux:rw --recursive directory

Sample Output:

setfacl command to act recursively

 

14. setfacl command to restore a permission backup

The following command is used to restore a permission backup created by getfacl -R or similar.

$ setfacl --restore=file

Sample Output:

setfacl command to restore a permission

 

15. getfacl and setfacl command to copy the ACL of one file to another

You can use the following command to copy the ACL of one file to another with getfacl and setfacl commands.

getfacl file1 | setfacl --set-file=- file2

Sample Output:

Here, we are copying the ACL of system.txt to new.txt.

setfacl command to copy the ACL of one file to another

 

16. Use setfacl command in test mode

--test option allows setfacl to run in test mode. The ACLs are not modified in test mode. It only displays the changes that will take place after running the actual command.

$ setfacl --test command

Sample Output:

setfacl command for test mode

 

17. getfacl command to follow symbolic links

-L or --logical options are used to follow symbolic links to directories. The default behavior is to follow symbolic link arguments and skip symbolic links encountered in subdirectories. It is only effective in combination with -R.

$ getfacl -L -R directory

OR

$ getfacl --logical -R directory

Sample Output:

getfacl command logical walk follow symbolic

 

18. getfacl command to not follow symbolic links

-P or --physical options do not follow symbolic links to directories. This also skips symbolic link arguments. It is only effective with -R.

$ getfacl -P -R directory

OR

$ getfacl --physical -R directory

Sample Output:

As we can see, it skips the symbolic link file now.

getfacl command to not follow symbolic links

 

Conclusion

In this tutorial, we have learned about setfacl and getfacl command in Linux. setfacl command is used to set or modify the ACL of any file or directory, and getfacl command is used to view the ACL of any file or directory.

If you still have any confusion, please let us know in the comment section.

 

What's Next

5+ nice & renice command examples in Linux [Cheat Sheet]

Further Reading

man page for setfacl command
man page for getfacl command

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment