How to Use setfacl and getfacl: A Step-by-Step Guide

Introduction to ACLs

Access Control Lists (ACLs) are used to provide more fine-grained permissions for files and directories than the traditional Unix permissions (read, write, execute). They allow you to specify permissions for individual users or groups.

setfacl and getfacl

• setfacl is used to set ACLs on files and directories.

• getfacl is used to retrieve ACLs from files and directories.

Basic Syntax

setfacl

setfacl [options] acl_spec file...

getfacl

getfacl [options] file...

Setting ACLs with setfacl

Basic Usage

To add an ACL entry:

setfacl -m u:username:permissions file

• -m: Modify the ACL.

• u:username:permissions: Specify the user (u), the username, and the permissions (r, w, x).

Example:

setfacl -m u:john:rwx myfile

This grants user john read, write, and execute permissions on myfile.

Setting ACLs for Groups

setfacl -m g:groupname:permissions file

Example:

setfacl -m g:admins:rw myfile

This grants the group admins read and write permissions on myfile.

Setting Default ACLs on Directories

setfacl -d -m u:username:permissions directory

Example:

setfacl -d -m u:john:rwx mydir

This sets default permissions for john on the directory mydir.

Removing ACL Entries

To remove an ACL entry:

setfacl -x u:username file

Example:

setfacl -x u:john myfile

This removes the ACL entry for user john on myfile.

To remove all ACL entries:

setfacl -b file

Example:

setfacl -b myfile

This removes all ACL entries from myfile.

Viewing ACLs with getfacl

To view the ACLs on a file or directory:

getfacl file

Example:

getfacl myfile

This outputs the ACLs for myfile.

Example Output

# file: myfile
# owner: root
# group: root
user::rw-
user:john:rwx
group::r--
mask::rwx
other::r--

• user::rw- - Permissions for the file owner.

• user:john:rwx - Specific permissions for user john.

• group::r-- - Permissions for the owning group.

• mask::rwx - The effective rights mask.

• other::r-- - Permissions for others.

Recursive ACLs

To apply ACLs recursively to all files and directories within a directory:

setfacl -R -m u:username:permissions directory

Example:

setfacl -R -m u:john:rwx mydir

This applies the ACL for john recursively within mydir.

Preserving Existing ACLs

To add or modify ACL entries without affecting existing ones, use the -n option with setfacl.

setfacl -n -m u:username:permissions file

Example:

setfacl -n -m u:john:rwx myfile

Conclusion

ACLs provide a powerful way to manage permissions on a more granular level than standard Unix permissions. Using setfacl, you can set and modify ACLs, while getfacl allows you to view them. This capability is especially useful in environments where multiple users or groups need specific access to files and directories.