setfacl - Linux

Overview

setfacl is a command-line utility used to set and modify Access Control Lists (ACLs) on Linux file systems. ACLs provide a more flexible permission mechanism than traditional UNIX file permissions, allowing users to specify detailed access rights for multiple users and groups. This command is very useful in environments where complex access control is required, such as in multi-user systems or collaborative projects.

Syntax

The basic syntax for setfacl is:

setfacl [options] { -m|-M|-x|-X|-b|-n ... } file ...
  • -m, --modify: Modify the ACL of a file or directory.
  • -M, --modify-file: Modify the ACL of a file or directory using the ACL entries specified in a file.
  • -x, --remove: Remove specified ACL entries.
  • -X, --remove-file: Remove ACL entries specified in a file.
  • -b, --remove-all: Remove all extended ACL entries.
  • -n, --no-mask: Do not recalculate the effective rights mask.
  • file ...: One or more files or directories to apply the ACL changes.

Options/Flags

  • -m, --modify acl_spec: Modify the current ACLs of files. The ACL specifications must follow the format [ug]:name:perm.
  • -M, --modify-file file: Read ACL entries to modify from a file.
  • -x, --remove acl_spec: Remove specific ACL entries.
  • -X, --remove-file file: Read ACL entries to remove from a file.
  • -b, --remove-all: Remove all ACL entries, excluding the base entries.
  • -k, --remove-default: Remove the default ACL.
  • -d, --set-default: Set default ACLs which apply to newly created files and subdirectories.
  • --test: Test the ACL operations without applying changes.
  • -v, --version: Display version information and exit.
  • -h, --help: Display help message and exit.

Examples

1. Add a read permission to user john on file.txt:

setfacl -m u:john:r file.txt

2. Remove write access for group developers from project/:

setfacl -x g:developers:w project/

3. Set multiple ACLs at once using a file:

First, create a file acl_entries.txt with ACL specifications:

u:lisa:rw
g:staff:rx

Then apply these ACLs:

setfacl -M acl_entries.txt some_directory

4. Remove all ACLs from a file:

setfacl -b some_file.txt

Common Issues

  • Permission Denied: Users must have adequate permissions to modify ACLs. Ensuring the user has the necessary rights or using sudo may resolve this.
  • Invalid Arguments: Errors in ACL syntax can lead to issues. Double-check the format and entries of ACL specifications.
  • Filesystem Support: Not all filesystems support ACLs. For filesystems that don’t, migrating to a compatible one like ext4 may be necessary.

Integration

setfacl can be used together with getfacl to replicate ACLs from one file to another:

getfacl file1.txt | setfacl --set-file=- file2.txt

This technique is useful for backing up and restoring file permissions.

  • getfacl: Display the ACLs of a file or directory.
  • chmod: Change file modes or Access Control Lists.
  • chown: Change file owner and group.

For more detailed information about ACLs and related commands, consult the man pages (man setfacl and man getfacl) or the GNU documentation at GNU.org.