ACLs are extended permissions for users or groups in addition to the normal ugo/rwx file permissions. These can be assigned to files (access ACLs) and directories (default ACLs).
ACLs changes can be applied with the setfacl command or viewed with the getfacl command.
There are a number of arguments that can be used with the setfacl command, a few useful ones can be seen in the table below:
-m | add to or change (modify) the current ACL |
-x | removes a specific ACL entry eg: removing all permissions for a user |
-b | remove all the currently configured ACLs (careful with this one) |
Example: modifying an access ACL:
# initial test file with no extended permissions $ getfacl -c testfile user::rw- group::rw- other::r--
Add user1 to the ACL with read, write and execute (7) permissions
$ setfacl -m u:user1:7 testfile $ getfacl -c testfile user::rw- user:user1:rwx group::rw- mask::rwx other::r--
Add user3 to the ACL with read permissions 6 (r–)
$ setfacl -m u:user3:r testfile $ getfacl -c testfile user::rw- user:user1:rwx user:user3:r-- group::rw- mask::rwx other::r--
Remove user1 from the ACL altogether
$ setfacl -x u:user1 testfile $ getfacl -c testfile user::rw- user:user3:r-- group::rw- mask::rw- other::r--
Remove all ACL entries from file
$ setfacl -b testfile $ getfacl testfile user::rw- group::rw- other::r--