TechEarl

Linux ACLs: getfacl and setfacl Explained

Grant one user access to a file without changing its group, using POSIX ACLs with setfacl, reading them with getfacl, and setting defaults that new files inherit.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Grant one Linux user access to a file without changing its group using POSIX ACLs with setfacl, and read them with getfacl.

The classic rwx model only has three slots: owner, one group, and everyone else. When you need to grant one extra person access to a file without making it world-readable or restructuring groups, that is what POSIX ACLs are for. Grant access with setfacl:

bash
setfacl -m u:deploy:rw report.txt
Terminal showing setfacl -m u:deploy:rw on a file, then getfacl listing the owner permissions plus the extra user:deploy:rw entry and a mask line.
setfacl -m adds a named-user entry; getfacl shows the base permissions plus the extra ACL entries and the mask.

Read the ACL with getfacl

bash
getfacl report.txt

It prints the owner and group permissions plus any extra entries (user:deploy:rw-) and a mask line. The mask caps the maximum effective permission for named users and groups; if a named entry seems ignored, the mask is usually why.

The common operations

bash
setfacl -m u:deploy:rw file        # give user deploy read/write
setfacl -m g:auditors:r file       # give group auditors read
setfacl -x u:deploy file           # remove deploy's entry
setfacl -b file                    # strip ALL ACLs, back to plain rwx

-m modifies/adds, -x removes one entry, -b removes everything. A file with extra ACLs shows a + at the end of its ls -l line (-rw-rw-r--+), which is the signal to run getfacl to see the full picture.

Default ACLs: new files inherit them

On a directory, a default ACL is applied to everything created inside it afterward, which is how you make a whole shared tree grant a user or group access automatically:

bash
setfacl -d -m g:developers:rwx /srv/project    # default for new entries
setfacl -R  -m g:developers:rwx /srv/project    # apply to existing entries too

-d sets the default (inherited) ACL; -R applies recursively to what is already there. You usually run both: -R for the current contents, -d for future ones.

When to reach for ACLs vs groups

Prefer a group when several users share access long-term; it is simpler and shows up everywhere. Reach for an ACL when you need a one-off exception ("just give Sam read on this one log") without creating a group or widening the file's group permissions. ACLs require the filesystem to be mounted with ACL support, which is the default on ext4 and xfs.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxACLsetfaclgetfaclPermissionsSecurity

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

RegEx

The Regex (*ACCEPT) Control Verb, Explained

What the PCRE (*ACCEPT) backtracking control verb does, how it forces an immediate successful match, how it behaves inside capturing groups, which engines support it, and where it is genuinely useful.