setfacl Command in Linux
The setfacl command in Linux is used to set file access control lists (ACLs), which provide a more flexible way of managing file permissions compared to traditional UNIX file permissions. ACLs allow you to set permissions for individual users and groups, in addition to the owner, group, and others.
Table of Contents
Here is a comprehensive guide to the options available with the setfacl command â
- Understanding setfacl Command
- Syntax for the setfacl Command
- setfacl Command Options and Parameters
- How to Use setfacl Command in Linux?
Understanding setfacl Command in Linux
Access Control Lists (ACLs) are used to define more fine-grained permissions for files and directories in Linux. The setfacl command is used to set these permissions, allowing you to specify access rights for individual users or groups.
Traditional UNIX file permissions (read, write, execute for owner, group, and others) are sometimes insufficient for complex access control scenarios. ACLs provide a way to specify permissions for multiple users and groups, giving you more control over who can access your files.
- Setting ACLs − Use the -m option to set ACLs for users and groups.
- Removing ACLs − Use the -x option to remove specific ACL entries, or -b to remove all ACLs.
- Default ACLs − Use the -d option to set default ACLs for directories.
- Recursive ACLs − Use the -R option to apply ACLs recursively.
- Mask Permissions − Use the mask entry to control the maximum permissions for users and groups.
Syntax for the setfacl Command
The basic syntax of the setfacl command is −
setfacl [OPTION] [ACL] [FILE]
- ACL: The access control list specification.
- FILE: The file or directory to which the ACL should be applied.
setfacl Command Options and Parameters
Here are some commonly used options with setfacl:
- -m: Modify ACL entries.
- -x: Remove ACL entries.
- -b: Remove all ACL entries.
- -k: Remove the default ACL.
- -R: Apply ACLs recursively to directories and their contents.
- -d: Apply the default ACL to directories.
How to Use setfacl Command in Linux?
ACL entries follow a specific format −
[entry_type]:[name]:[permissions]
- entry_type: The type of entry (user, group, mask, other, default).
- name: The name of the user or group (optional for mask and other).
- permissions: The permissions (read, write, execute).
Example ACL Entries
- u:john:rwx: Set read, write, execute permissions for user john.
- g:developers:rw-: Set read, write permissions for group developers.
- m::rwx: Set the mask to read, write, execute.
- o::r--: Set read-only permissions for others.
Examples with Detailed Explanation
Let's start with a simple example. Suppose you have a file example.txt and you want to give read and write permissions to a user named john −
setfacl -m u:john:rw example.txt
This command modifies the ACL of example.txt to allow john to read and write the file.
Verifying ACL Entries
You can verify the ACL entries for a file using the getfacl command −
getfacl file.txt
The output will show the ACL entries for example.txt, including the new entry for john.
Setting ACL for a Group
If you want to set permissions for a group, you can use the g entry type. For example, to give the developers group read and execute permissions on a directory project −
setfacl -m g:developers:rx project
Removing ACL Entries
To remove an ACL entry, use the -x option. For example, to remove the entry for user john from example.txt −
setfacl -x u:john example.txt
This command removes the ACL entry for john, revoking the permissions previously granted.
Removing All ACL Entries
To remove all ACL entries from a file or directory, use the -b option −
setfacl -b example.txt
This command removes all ACL entries from example.txt, reverting to the default UNIX file permissions.
Setting Default ACL for a Directory
Default ACL entries apply to new files and directories created within a directory. For example, to set a default ACL for the project directory that gives read and write permissions to the developers group −
setfacl -d -m g:developers:rw project
This command applies the ACL to project and all its contents recursively.
Setting Mask Permissions
The mask entry controls the maximum permissions that can be granted to users and groups. For example, to set the mask to read and write for example.txt −
setfacl -m m::rw example.txt
This command sets the mask for example.txt, limiting the permissions that can be granted to users and groups.
Let's now take some practical scenarios.
Scenario 1: Collaborative Project Directory
You have a project directory that multiple users need to access. The owner should have full control, the developers group should have read and write permissions, and others should have read-only access.
1. Create the Project Directory
mkdir project
2. Set the ACLs
setfacl -m u:owner:rwx project setfacl -m g:developers:rw project setfacl -m o::r project
3. Verify the ACLs
getfacl project
Scenario 2: Default ACLs for a Shared Directory
You have a shared directory where new files should automatically inherit specific permissions.
1. Create the Shared Directory
mkdir shared
2. Set the Default ACLs
setfacl -d -m u:owner:rwx shared setfacl -d -m g:team:rw shared setfacl -d -m o::r shared
3. Verify the Default ACLs
getfacl shared
4. Create a new File and Verify its ACLs
touch shared/newfile getfacl shared/newfile
Scenario 3: Restricting Access with Mask Permissions
You have a file that multiple users can access, but you want to limit their access using mask permissions.
1. Create the File
touch sensitivefile
2. Set the ACLs
setfacl -m u:user1:rwx sensitivefile setfacl -m u:user2:rw sensitivefile setfacl -m m::rw sensitivefile
3. Verify the ACLs and Mask
getfacl sensitivefile
Conclusion
The setfacl command provides a powerful and flexible way to manage file and directory permissions in Linux. By using ACLs, you can specify permissions for individual users and groups, beyond the traditional UNIX file permissions. This allows for more granular control over access to your files and directories.
By understanding and utilizing the setfacl command, you can effectively manage access control in your Linux environment, ensuring that your files and directories are secure and accessible to the right users.