TechEarl

Linux ACLs: getfacl and setfacl Explained

Grant one user access to a file without changing its group, using POSIX ACLs with setfacl, reading them with getfacl, and setting defaults that new files inherit.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Grant one Linux user access to a file without changing its group using POSIX ACLs with setfacl, and read them with getfacl.

The classic rwx model only has three slots: owner, one group, and everyone else. When you need to grant one extra person access to a file without making it world-readable or restructuring groups, that is what POSIX ACLs are for. Grant access with setfacl:

bash
setfacl -m u:deploy:rw report.txt
Terminal showing setfacl -m u:deploy:rw on a file, then getfacl listing the owner permissions plus the extra user:deploy:rw entry and a mask line.
setfacl -m adds a named-user entry; getfacl shows the base permissions plus the extra ACL entries and the mask.

Read the ACL with getfacl

bash
getfacl report.txt

It prints the owner and group permissions plus any extra entries (user:deploy:rw-) and a mask line. The mask caps the maximum effective permission for named users and groups; if a named entry seems ignored, the mask is usually why.

The common operations

bash
setfacl -m u:deploy:rw file        # give user deploy read/write
setfacl -m g:auditors:r file       # give group auditors read
setfacl -x u:deploy file           # remove deploy's entry
setfacl -b file                    # strip ALL ACLs, back to plain rwx

-m modifies/adds, -x removes one entry, -b removes everything. A file with extra ACLs shows a + at the end of its ls -l line (-rw-rw-r--+), which is the signal to run getfacl to see the full picture.

Default ACLs: new files inherit them

On a directory, a default ACL is applied to everything created inside it afterward, which is how you make a whole shared tree grant a user or group access automatically:

bash
setfacl -d -m g:developers:rwx /srv/project    # default for new entries
setfacl -R  -m g:developers:rwx /srv/project    # apply to existing entries too

-d sets the default (inherited) ACL; -R applies recursively to what is already there. You usually run both: -R for the current contents, -d for future ones.

When to reach for ACLs vs groups

Prefer a group when several users share access long-term; it is simpler and shows up everywhere. Reach for an ACL when you need a one-off exception ("just give Sam read on this one log") without creating a group or widening the file's group permissions. ACLs require the filesystem to be mounted with ACL support, which is the default on ext4 and xfs.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxACLsetfaclgetfaclPermissionsSecurity

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

Understanding the Git staging area and what git add does to the index before a commit
DevOps

The Git Staging Area Explained

The Git staging area (the index) is the in-between layer where you assemble exactly what goes into your next commit. Here is what git add really does, and why it exists.