setfacl

What is setfacl?

setacl (short for set file ACL) is a Unix command-line tool that provides an Access Control Lists (ACLs) model for managing file and folder permissions on Unix systems. It’s an alternative to the standard user/group/other and chmod/chown permission model.

setacl manages file permissions using ACL files that look like this:

# file: report.txt
# owner: alice
# group: staff
user::rw-
user:bob:r--
group::r--
mask::rw-
other::---

You use the setacl command to edit the ACL file. The basic syntax is:

setfacl -m u:<username>:<permissions> <file-or-directory>

• -m: modify
• u: the user
• g: the group

Install

On Ubuntu, run:

sudo apt-get update && sudo apt install acl

Then, ensure you’ve enabled ACL on your system by following the instructions here.

Recipes

Specify user access

Give john read-only access to a report.txt file:

setfacl -m u:john:r-- report.txt

Specify group access

Give the developers group read & write access:

setfacl -m g:developers:rw- report.txt

Remove user access

Remove john‘s ACL:

setfacl -x u:john report.txt

View ACL for file

Example:

getfacl report.txt

Example output:

# file: report.txt
# owner: alice
# group: staff
user::rw-
user:bob:r--
group::r--
mask::rw-
other::---

Set an ACL mask to restrict permissions

You can set a mask to restrict permissions for a given file / directory like so:

setfacl -m m:rw- report.txt

This will result in an ACL file like this:

# file: report.txt
# owner: alice
# group: staff
user::rw-
user:bob:r--
group::r--
mask::rw-
other::---

Which means that even if you do:

setfacl -m u:bob:rwx report.txt

bob‘s permissions will be rw because of the mask.

Set default ACLs for new files/directories

setfacl -m d:u:john:rw- /shared

• d: means default

Now, the user john will have the rw- permission for any new file created inside the /shared directory.

Remove all ACLs on a file

setfacl -b report.txt

Remove just one ACL entry from a file

setfacl -x u:john report.txt