Linux Tactic

Mastering File and Directory Permissions with Setfacl Command in Linux

Managing permissions f

or files and direct

ories can be a maj

or headache, especially in environments with multiple users and groups. Linux systems have been using the standard Unix permissions model f

or several decades, but it has its limitations.

Access Control Lists (ACLs) are an alternative way of managing file and folder permissions that address some of the sh

ortcomings of traditional Unix permissions.

In this article, we will focus on the setfacl command in Linux and explain how you can use it to manage ACLs. The setfacl command allows you to modify permissions f

or a file

or direct

ory, add new permissions, and change the default permissions f

or new files and direct


We will also expl

ore the various setfacl options that allow you to configure permissions in complex and recursive folder structures.

ACL and Its Advantages

ACL is an advanced method of achieving file and folder permissions that expands on the limitations of Unix permissions, and it enables m

ore granular control of permissions f

or users and groups. The standard Unix permissions system only knows about three types of permission settings: read, write, and execute.

These permissions can be set f

or the file owner, the group owner, and other users. But with ACL, you can set permissions f

or an individual user

or group, in addition to the standard permissions f

or the owner of the file and the group.

ACL allows a file

or direct

ory owner to specify access rights f

or specific users, groups, and roles, offering better security and accessibility to users with m

ore specific needs. An ACL is a set of

ordered entries that contain the users

or groups to which the entry applies, and the permission set f

or these users

or groups.

Setfacl Command and Its Purpose

Setfacl is a command-line utility that is used to manage and modify ACLs. By default, the setfacl command allows you to add

or modify access rules in an ACL without changing the

original permissions of a file

or folder. The command can also be used to modify the default permissions of new files and direct

ories to be created in the specified direct


Setfacl can set permissions f

or a file

or direct

ory f

or a specific user

or group, and it can also set permissions recursively f

or all the contents of the direct


Setfacl command also provides powerful options to w

ork with default ACL Access Masks, which are used to set permissions f

or new files and direct

ories within a direct

ory that takes on the permissions it inherits from its parent direct


Additionally, setfacl can be used to back up and rest

ore ACL permissions, copy permissions from one file to another,

or completely remove a file

or direct

ory’s ACL.

The Setfacl Command Options

Getting the current file permissions with getfacl option


ore you try to modify a file

or direct

ories ACLs, you must determine the current permissions set on the file

or direct

ory. The getfacl command provides a way to view the current ACL.

The output generated by getfacl lists all the users and groups that have permission to access the file

or folder.


or instance, running the following command will show you the permissions set on the file

or direct

ory specified:


$ getfacl


$ getfacl


Grant custom permissions to a User

When granting custom permissions to a user, you must use the user’s username preceded by a “u.” You can set the same permissions All Linux Permissions have, that are read, write

or execute to single

or multiple users. The following sets read-write permissions f

or a User:


$ setfacl -m u::rw


Grant Custom permissions to a group

You can also grant custom permissions to a group using setfacl. To set custom permissions to a group, you must use the group name preceded by the letter “g”.

The following sets read-write permissions f

or a group:


$ setfacl -m g::rw


Modify mask limit

In ACLs, the mask is a default access mask that determines how permissions are applied to new files

or direct

ories created within a folder that has a permission mask set. Changing the mask limit will affect the permissions available to other users

or groups.


or instance, to set the mask limit f

or a direct

ory to be the same as the group permissions, run this command:


$ setfacl -m m::rwx


Use the -n flag to prevent mask modification

To prevent the mask limit from changing when you modify individual user permissions, you can use the -n flag with setfacl. This flag ensures that modifying the permissions set f

or a particular user

or group will not change the mask limit.


or instance, to grant read-only permission to a particular User without affecting the mask limit, run the following command:


$ setfacl -m u::r -n


Setting default ACL permissions f

or a Direct


You can set default ACL permissions f

or a direct

ory using the setfacl command using the -d flag. The -d flag will set the default ACL permissions, which will then be inherited by newly created files and direct

ories inside the direct



or example, to set the default permissions to read and write access f

or all users who are not part of the owner’s group, run the following command:


$ setfacl -d -m o::rw



orm recursive changes with -R Flag

If you need to modify the ACL f

or a direct

ory and all its subdirect

ories, you can use the -R flag with setfacl. The -R flag will apply the changes recursively to all direct

ories and files underneath.

To modify the ACL of a direct

ory and its subdirect

ories recursively, use the following command:


$ setfacl -R -m g::rw


Backup and Rest

ore ACL Permissions

The setfacl utility provides a way to backup and rest

ore ACL permissions using the -x and -k options. The -x option saves the current ACL permissions of a file

or direct

ory to a file, and the -k option reloads the ACL permissions from the backup file.


or example, to back up the current ACL permissions of a file named myfile to a backup file called old_acl_permissions, run the following command:


$ getfacl -R myfile > old_acl_permissions


To rest

ore ACL permissions that were previously backed up, use the setfacl command with the -k flag, followed by the name of the backup file that you wish to load:


$ setfacl –rest



Copying permissions from one file to another

Sometimes, it may be necessary to copy permissions from one file to another. The setfacl command provides an eff

ortless way to achieve this through the -m option.

The syntax f

or copying permissions from one file to another would be:


$ getfacl | setfacl –set-file=-



In conclusion, managing permissions f

or files and direct

ories using ACLs is efficient and easier with the setfacl command. The setfacl command allows you to modify the permissions of a file/direct

ory without altering the overall file/direct

ory permissions, set permissions recursively, set default ACL permissions f

or a direct

ory and its subdirect

ories, backup and rest

ore ACL permissions and copy permissions from one file to another.

Using the setfacl options can directly enhance the security of st

oring and sharing files in a dynamic and collab

orative w

orking environment.

ACL vs POSIX Permissions


ortable Operating System Interface) permissions are the traditional permissions model used by the Linux operating system. POSIX provides three levels of permissions: read, write, and execute that can be applied to the owner of the file, the group that owns the file, and everyone else.

While it can provide basic protection, it has limited functionality when it comes to multi-user systems where different users and groups require different levels of permission. In contrast, ACL is an advanced, flexible system that can handle granular permissions f

or different groups of users and direct

ories by enabling m

ore refined access control over files and direct


The maj

or advantage of ACL is that it enables administrat

ors to specify which users

or groups can access a file

or direct

ory directly, without combining user accounts into groups. This can be immensely useful when managing the permissions of many different users that require m

ore precise access to individual files

or direct

ories, in both individual and collab

orative settings.

ACLs also provide the benefit of allowing m

ore complex permission hierarchies, with different classes of users and groups that operate on different levels of access to different direct

ory structures. In practical situations, this means a higher level of security and a m

ore refined and manageable system f

or user access to distributed resources.

While POSIX permissions represented a significant step f

orward in terms of file permissions control, ACL is a m

ore evolved system that represents the new generation of UNIX permission control. There are specific instances where we can see the benefits of using ACL permission sets.

Summary of ACL Advantages and Ease of Use

ACLs address the limitations of the standard Unix permissions model. They simplify and improve access controls and provide m

ore flexible options f

or describing access.

ACLs can extend permissions beyond the traditional file owner and groups to m

ore precise assignment using user account inf

ormation, roles

or additional access groups. Setfacl command provides the necessary CLI tools f

or managing ACLs, and it is relatively easy to use, especially when compared to other methods like editing files manually.

Users with appropriate system permissions can use setfacl to modify the access control lists (ACL) applied to specific files and folders. Setfacl also allows administrat

ors and users with appropriate permission levels to alter the default permissions f

or files and direct

ories, and it makes recursive updates a straightf

orward and efficient process.

When managing permissions f

or multiple users, particularly when multiple groups and access levels are required, it is recommended to use ACLs as they offer m

ore management options than POSIX.

ACLs are often preferred over POSIX as they provide the ability to set permissions f

or individual users and groups with m

ore precision.

This precision results in a m

ore secure file system, where files can only be accessed, edited and changed by those who are auth


In conclusion, ACL is a m

ore advanced and user-friendly system f

or controlling file and folder permissions than the traditional Unix permissions model, and the setfacl command provides an easy to use toolset to manage ACLs. The flexibility, precision and management options offered by ACL gives system administrat

ors a level of control over their file systems that was previously unavailable.

Its benefits are particularly evident when managing complex file and netw

ork systems made up of multiple users and groups. Thanks to ACL and Setfacl, security in Linux has never been so detailed and refined.

In conclusion, ACLs and the setfacl command offer a significant improvement over traditional POSIX permissions in Linux. ACLs provide m

ore granular control over file and folder permissions, allowing f

or individual

or group-based access rights.

Setfacl simplifies the management of ACLs by providing easy-to-use command-line options. The benefits of ACLs include enhanced security, better access control f

or multi-user environments, the ability to set default permissions, and simplified recursive changes.

By leveraging ACLs and setfacl, system administrat

ors can achieve a higher level of security and efficiency in managing file and folder permissions. Takeaways from this article include the understanding that ACLs provide a flexible and advanced permission system that enhances security and enables precise control over access to files and direct


The setfacl command streamlines ACL management, making it easier to implement and modify permissions. Embracing ACLs and setfacl empowers Linux users to optimize their file management system, ensuring that files are protected and accessible only to auth

orized individuals

or groups.

Popular Posts