In Linux, traditional file permissions (rwxrwxrwx) work fine for basic access control. But if you need to give specific users or groups access to a file without changing its ownership or group
That’s where ACL (Access Control List) comes in.
It gives you more granular permission control, beyond just owner, group, and others.
Table of Contents
- Why Use ACL?
- 1. Check ACL Permissions
- 2. Add User-Specific ACL Permission
- 3. Remove ACL Permission for a User
- 4. Remove All ACL Permissions
- 5. Set ACL for a Group
- Understanding the Mask
- How to Know If a File Has ACL
- Conclusion
- Let's Connect on LinkedIn
Why Use ACL?
Let's assume in your organisation,
- A file is owned by user
chieloand groupdevs. - You want to give
sophyread-only access, but without changing the file's group or ownership.
Traditional permissions can’t do this. ACL can.
1. Check ACL Permissions
To view ACL entries:
getfacl
Output:
file: secteam
owner: root
group: root
user::rwx
group::r-x
other::r-x
2. Add User-Specific ACL Permission
To give a specific user access:
setfacl -m u:: directory
Explanation:
-m = modify
u:grape:rx = give user grape read & execute permission
ACL output:
file: secteam
owner: root
group: root
user::rwx ( The file owner)
user:grape:rx ( ACL permission for user 'grape')
group::r-x ( group has read and execute permission)
other::r-x ( Others have read and execute permission)
3. Remove ACL Permission for a User
To remove a specific user's ACL entry:
setfacl -x u: file.txt
Updated ACL output:
file: secteam
owner: root
group: root
user::rwx
group::r-x
other::r-x
4. Remove All ACL Permissions
To clear all ACL entries (except standard permissions):
setfacl -b file.txt
-b = remove all ACL entries
5. Set ACL for a Group
To give a group specific permissions:
setfacl -m g::
This gives read-only access to the entire systemadmin group.
Understanding the Mask
The mask defines the maximum permission that can be granted to users (except the owner) and groups via ACL.
Even if you set:
setfacl -m u:chielo:rw file.txt
If the mask is:
mask::r--
Then chielo will only have read access.
To update the mask:
setfacl -m mask:rw file.txt
How to Know If a File Has ACL
Run:
ls -l
If you see a + sign at the end of the permission string:
-rw-r--r--+ 1 chielo devs 1024 Apr 15 file.txt
It means the file has ACLs applied.
Conclusion
ACLs are incredibly useful when you're managing permissions for multiple users or groups without disrupting existing setups.
Try experimenting with setfacl and getfacl on your test files and see the difference for yourself.
Let’s connect on LinkedIn
As I automate my journey into RHCE and Ansible, I’d love to connect with fellow learners and professionals. Feel free to reach out and join me as I share tips, resources, and insights throughout this 30-day challenge.
