Linux‎ > ‎

ACL on Linux -- setfacl examples

Thank you for visiting this page, this page has been update in another link ACL on Linux --setfacl
This is an article in addition to article ACL on Linux -- POSIX Access control list on linux

setfacl - set file access control lists


       This  utility sets Access Control Lists (ACLs) of files and directories.  On the command line, a sequence of commands is followed by a
       sequence of files (which in turn can be followed by another sequence of commands, ...).

       The options -m, and -x expect an ACL on the command line. Multiple ACL entries are separated by comma characters  (‘,’).  The  options
       -M, and -X read an ACL from a file or from standard input. The ACL entry format is described in Section ACL ENTRIES.

       The  --set  and --set-file options set the ACL of a file or a directory. The previous ACL is replaced.  ACL entries for this operation
       must include permissions.

       The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory.  ACL entries for this operation  must  include

       The  -x  (--remove) and -X (--remove-file) options remove ACL enries. Only ACL entries without the perms field are accepted as parame-
       ters, unless POSIXLY_CORRECT is defined.

       When reading from files using the -M, and -X options, setfacl accepts the output getfacl produces.  There is at most one ACL entry per
       line. After a Pound sign (‘#’), everything up to the end of the line is treated as a comment.

      Same as getfacl, if  setfacl  is  used on a file system which does not support ACLs, setfacl operates on the file mode permission bits. If the ACL does
       not fit completely in the permission bits, setfacl modifies the file mode permission bits to reflect the ACL as closely  as  possible,
       writes an error message to standard error, and returns with an exit status greater than 0.

Example 1   Granting an additional user read access

              setfacl -m u:lisa:r file

Example 2 Revoking write access from all groups and all named users (using the effective rights mask)

              setfacl -m m::rx file

Example 3 Removing a named group entry from a file’s ACL

              $ setfacl -x Tim johntest
              $ getfacl --omit-head --access johntest

Example 4 Copying the ACL of one file to another

              getfacl file1 | setfacl --set-file=- file2

Example 5 Copying the access ACL into the Default ACL

              getfacl --access dir | setfacl -d -M- dir

Example 6 remove all ACL from file

$ setfacl -b johntest
[john@dpool10 acltest]$ getfacl --omit-head --access johntest

Example 7 remove defalt ACL

$ setfacl -k johntest
$ getfacl --omit-head --default johntest
Example 8 -R     Apply operations to all files and directories recursively. This option cannot be mixed with ‘--restore’.
This command copy johntest2's ACLs then set all to dir johntest and its directories
getfacl johntest2 | setfacl -R --set-file=- johntest

More detail about ACL ENTRIES
       The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity):

       [d[efault]:] [u[ser]:]uid [:perms]
              Permissions of a named user. Permissions of the file owner if uid is empty.

       [d[efault]:] g[roup]:gid [:perms]
              Permissions of a named group. Permissions of the owning group if gid is empty.

       [d[efault]:] m[ask][:] [:perms]
              Effective rights mask

       [d[efault]:] o[ther][:] [:perms]
              Permissions of others.

       Whitespace between delimiter characters and non-delimiter characters is ignored.

       Proper ACL entries including permissions are used in modify and set operations. (options -m, -M, --set and --set-file).  Entries with-
       out the perms field are used for deletion of entries (options -x and -X).

       For uid and gid you can specify either a name or a number.

       The  perms  field  is a combination of characters that indicate the permissions: read (r), write (w), execute (x), execute only if the
       file is a directory or already has execute permission for some user (X).  Alternatively, the perms field can be an octal digit  (0-7).