Setfacl command in Linux


Setfacl commandIt is used to set ACL (access control list) on the command line. On the command line, a series of commands are followed by a series of file names.


- b,--remove-all: Delete all extended ACL rules, and the basic ACL rules (owners, groups, others) will be retained.
- k,--remove-default: Delete the default ACL rule. If there are no default rules, they will not be prompted.
- n,--no-mask: Do not recalculate valid permissions. Setfacl recalculates ACL mask by default unless the mask is explicitly formulated.
- mask: recalculates valid permissions even if the ACL mask is explicitly specified.
- d,--default: Set default ACL rules.
-- restore = file: Acl rules for restoring backups from files (these files can be generated by getfacl-R). Through this mechanism, the ACL rules of the whole directory tree can be restored. This parameter cannot be executed with any parameter other than -- test.
--Test: the test mode will not change the ACL rules of any file, and the ACL specifications after the operation will be listed.
- R,--recursive: Recursively operates on all files and directories.
- L,--logic: Tracking symbolic links, by default, only tracking symbolic links files, skipping the symbolic links directory.
- P,--physical: Skip all symbolic links, including symbolic link files.
--version: Output the version number of setfacl and exit.
- help: Output help information.
--: Identify the end of the command line parameter, and all subsequent parameters will be considered file names
- If the file name is -, setfacl reads the file name from the standard input.
  • option-mand-xFollow by the ACL rule. Multiple ACL rules are separated by commas (,). option-Mand-XUsed to read ACL rules from files or standard input.
  • option--setand--set-fileThe ACL rules used to set files or directories will be overridden by previous settings.
  • option-m(--modify)and-M(--modify-file)Options to modify ACL rules for files or directories.
  • option-x(--remove)and-X(--remove-file)Option to delete ACL rules.

Setfacl accepts the output format of the getfacl command when reading rules from a file using the – M, – X option. Each line has at least one rule, and the line starting with # will be treated as a comment.

When the setfacl command is used on file systems that do not support ACLs, setfacl modifies the file permission bits. If the ACL rule does not match the file permission bit exactly, setfacl will modify the file permission bit to respond to the ACL rule as much as possible, and send an error message to standard error to return in a state greater than 0.


The owner of the document and theCAP_FOWNERUser processes can set the ACL of a file. (On current Linux systems, root users are the only onesCAP_FOWNERCapability users)

ACL rules

The setfacl command recognizes the following rule formats:

[d [efault]:] [u [ser]:] UID [: perms] specifies the user's rights and the file owner's rights (if uid is not specified).
[d [efault]:] g [roup]: GID [: perms] specifies the permissions for groups, and for all groups of files (if GID is not specified)
[d [efault]:] m [ask] [:] [: perms] valid permission mask
[d [efault]:] O [ther] [: perms] other permissions

Appropriate ACL rules are used in modification and setting operations. For uid and gid, you can specify either a number or a name. The perms domain is a combination of letters representing various permissions: read-rwrite-wimplement-xExecution is only suitable for directories and some executable files. The pers domain can also be set to octal format.

Rules for automatic creation

Initially, the file directory contained only three basic ACL rules. In order to make the rules work properly, the following rules need to be met.

  • Three basic rules cannot be deleted.
  • Any rule that contains a specified username or group name must contain a valid permission combination.
  • Any rule that contains default rules must exist when used.

The Definition of Nouns in ACL

Let’s first look at the definition of each noun in ACL. Most of these nouns are frommanAlthough it’s a bit boring to take it off the page, it’s helpful to understand the following.

ACL is made up of a series of Access Entry, each of which defines the operation permissions that a specific category can have on a file. Access Entry has three components: Entry tagtype, qualifier (optional), permission。

Let’s first look at the most important Entry tag type, which has the following types:

ACL_USER_OBJ: Permission equivalent to file_owner in Linux
ACL_USER: Defines permission that additional users can own for this file
ACL_GROUP_OBJ: Permission equivalent to group in Linux
ACL_GROUP: Defines permission that additional groups can own for this file
ACL_MASK: Defines the maximum permissions of ACL_USER, ACL_GROUP_OBJ and ACL_GROUP (which I will discuss later)
ACL_OTHER: Permission equivalent to other in Linux

Let’s illustrate with an example that we use the getfacl command to view a defined ACL file:

[[email protected] ~]# getfacl ./test.txt
# file: test.txt
# owner: root
# group: admin
mask::rw- other::r--

The first three define file names, file owner and group beginning with #. This information doesn’t help much, so we can use it next.--omit-headerTo omit.

User:: RW - defines ACL_USER_OBJ, indicating that file owner has read and write permission
User: john: RW - defines ACL_USER, so that user John has the right to read and write files, and achieves the purpose we want to achieve at the beginning.
Group:: RW - defines ACL_GROUP_OBJ, indicating that the group of files has read and write permission
Group: dev: R -- defines ACL_GROUP so that the dev group has read permission for files
Mask:: RW - defines the permissions of ACL_MASK as read and write
Other::r -- Defines the permission of ACL_OTHER to read

From here we can see that ACL provides the function that we can define specific users and user groups. Then let’s look at how to set up ACL for a file:

How to Set ACL Files

First, let’s talk about formatting ACL files. From the example above, we can see that each Access Entry consists of three fields separated by numbers. The first one is Entry tag type.

User corresponds to ACL_USER_OBJ and ACL_USER
Group corresponds to ACL_GROUP_OBJ and ACL_GROUP.
Mask corresponds to ACL_MASK
Other corresponds to ACL_OTHER

The second field is called qualifier, which is the John and dev groups in the example above. It defines the permissions of specific users and support groups for files. Here we can also find that only user and group have qualifier, and the rest are empty. The third field is our familiar permission. It’s defined like Linux’s permission, so I won’t talk about it here.

Now let’s see how to set the ACL of the test. TXT file to meet our requirements above.

At first, the file has no additional attributes of ACL:

[[email protected] ~]# ls -l
-rw-rw-r-- 1 root admin 0 Jul 3 22:06 test.txt
[[email protected] ~]# getfacl --omit-header ./test.txt
user::rw- group::rw- other::r--

Let’s first give user John read and write access to the test.txt file:

[[email protected] ~]# setfacl -m user:john:rw- ./test.txt
[[email protected] ~]# getfacl --omit-header ./test.txt

At this point, we can see that John users have the right to read and write files in ACL. At this point, if we look at the permission of linux, we will find a different place.

[[email protected] ~]# ls -l ./test.txt
-rw-rw-r--+ 1 root admin 0 Jul 3 22:06 ./test.txt

At the end of the file permission, there is an additional + sign. When any file has the value of ACL_USER or ACL_GROUP, we can call it ACL file. This + sign is used to prompt us. We can also find that when a file is ownedACL_USERperhapsACL_GROUPValue timeACL_MASKIt will also be defined.

Next, let’s set the dev group to have read permission:

[[email protected] ~]# setfacl -m group:dev:r-- ./test.txt
[[email protected] ~]# getfacl --omit-header ./test.txt

So far, we have fulfilled the requirements mentioned above. Is it very simple?

ACL_MASK and Effective Permission

Here we need to focus on it.ACL_MASKBecause this is another key to mastering ACL, as you know in Linux file permission, for examplerw-rw-r--For example, the one in the middlerw-Permission refers to the permission of the file group. But in ACL, this situation is only in the case ofACL_MASKIt does not exist. If the file has an ACL_MASK value, then the one in itrw-It represents the mask value instead of the group permission.

Let’s look at the following example:

[[email protected] ~]# ls -l
-rwxrw-r-- 1 root admin 0 Jul 3 23:10

This shows that only file owner: root has read, write, execute / search permission. The admin group only has read and write permission, and now we want user John to have the same permission as root for test. sh.

[[email protected] ~]# setfacl -m user:john:rwx ./
[[email protected] ~]# getfacl --omit-header ./
user::rwx user:john:rwx

Here we see that John already has permission for rwx, and the mask value is set to rwx, because it specifiesACL_USERACL_GROUPandACL_GROUP_OBJNow let’s look at Linux permission for, which has become:

[[email protected] ~]# ls -l
-rwxrwxr--+ 1 root admin 0 Jul 3 23:10

So what happens if the users of group admin want to execute programs? It will be permission deny. The reason is that the admin group actually has only read and write permission, and the RWX shown here isACL_MASKThe value of the group is not the permission of the group.

So from here we can see that if a file has a + tag behind it, we all need to use getfacl to confirm its permission in order to avoid confusion.

Let’s continue with an example. If we now set the mask of test. sh to read only, will there be any write permission for admin users?

[[email protected] ~]# setfacl -m mask::r-- ./
[[email protected] ~]# getfacl --omit-header ./
user:john:rwx  #effective:r--
group::rw-   #effective:r--

At this time, we can see that there is a #effective:r– beside ACL_USER and ACL_GROUP_OBJ. What does this mean? Let’s review it again.ACL_MASKDefinition. It stipulatesACL_USERACL_GROUP_OBJandACL_GROUPMaximum permission. So in our case, their maximum permission is read only. Although we give it hereACL_USERandACL_GROUP_OBJOther permissions are set, but only read permissions are really effective.

When we look at Linux file permission of, its group permission also shows the value of its mask (i.e. r–).

[[email protected] ~]# ls -l
-rwxr--r--+ 1 root admin 0 Jul 3 23:10

Default ACL

All of the above is about Access ACL, that is, for files. Let me briefly talk about Default ACL. Default ACL refers to the Default ACL settings for a directory, and the files created under this directory will inherit the ACL of this directory.

Similarly, let’s do an experiment. For example, now the root user has created a dir directory:

[[email protected] ~]# mkdir dir

He wants all files created under this directory to be accessible by John users, so we should set Default ACL for the dir directory.

[[email protected] ~]# setfacl -d -m user:john:rw ./dir
[[email protected] ~]# getfacl --omit-header ./dir
default: other::r-x

Here we can see that ACL defines default options, and John users have default read, write, excute / search permission. All undefined defaults will be copied from file permission, and now root users create a test. TXT file under dir.

[[email protected] ~]# touch ./dir/test.txt
[[email protected] ~]# ls -l ./dir/test.txt
-rw-rw-r--+ 1 root root 0 Jul 3 23:46 ./dir/test.txt
[[email protected] ~]# getfacl --omit-header ./dir/test.txt
group::rwx #effective:rw-

Here we see that the file John user created under dir automatically has read and write permission.

ACL related commands

In the previous example, we have noticed that the getfacl command is used to read the ACL of the file, and setfacl is used to set the Acess ACL of the file. Here’s another chacl, Acess ACL and Default ACL, which is used to change files and directories. You can see the man page for its specific parameters. I just want to mention it.chacl -B。 It can completely delete the ACL attributes of files or directories (including Default ACL), such as when you use it.setfacl -xThe ACL attribute of all files is deleted, and the + sign still appears at the end of the file, so the correct deletion method should be to usechacl -BusecpWhen we come to copy files, we can now add-pOptions. This will copy the ACL attributes of the file when copying the file, and warn against the ACL attributes that cannot be copied.

mvThe command will move the ACL attribute of the file by default, and will also give a warning if the operation is not allowed.

Several points needing attention

If your filesystem does not support ACL, you may need to restart it.mountYour file system:

mount -o remount, acl [mount point]

If usedchmodThe corresponding ACL value changes when the command changes the Linux file permission, and vice versa when the ACL value changes.


The above is the Setfacl command in Linux introduced by Xiaobian. I hope it will be helpful to you. If you have any questions, please leave me a message and Xiaobian will reply to you in time. Thank you very much for your support to developpaer.