How to Set Linux ACL using Setfacl and Getfacl

The Linux command setfacl allows users to set extensive Access Control Lists on files and directories. Normally, using chmod command, you will be able to set permissions for the owner/group/others. But, in case you may need to provide file permissions for some other users too, that can’t be done using chmod. Setfacl will assist you to get rid of such troubles.

For example, we cannot set up different permission sets for different users on same directory or file. Thus, Access Control Lists (ACLs) were implemented. You can view the current “acl” set on files and directories using getfacl command.

In order to use setfacl on a file/directory, the residing filesystem should have acl support enabled. If the filesystem doesn’t support acl, you will get “operation not supported” error. In that case, you need to add acl support to the filesystem in /etc/fstab as follows and then remount the filesystem.

Check if Kernel has ACL Support

Run the following command to check for ACL Support for file system and POSIX_ACL=Y option (if there is N instead of Y, then it means Kernel doesn’t support ACL and needs to be recompiled).

root@linoxide:/home# grep -i acl /boot/config*
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_HFSPLUS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

Checking if the filesystem supports ACL

You can try this with:

$ cat /etc/fstab

On some systems looking at fstab will not show you if the filesystem supports acl, but rather display just "defaults" as the mount options:

root@linoxide:/home# cat /etc/fstab
LABEL=cloudimg-rootfs	/	 ext4	defaults	0 0

In that case you can use the following command to check if the filesystem is mounted with acl support:

root@linoxide:/home# tune2fs -l /dev/sda1
tune2fs 1.42.9 (4-Feb-2014)
Filesystem volume name:   cloudimg-rootfs
Last mounted on:          /
Filesystem UUID:          2e294961-ce03-483e-a53e-ff3fc4514bd4
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags:         signed_directory_hash 
Default mount options:    user_xattr acl

If your filesystem has not been mounted with the ‘acl’ option, you can re-mount it giving the needed option:

# mount -o remount -o acl /dev/sda1

Check for Required Packages

To use Linux ACLs make sure that you have required packages installed. Below are the required packages that need to be installed using yum or apt-get.

For RedHat based systems:

$ sudo yum install nfs4-acl-tools acl libacl

For Debian based:

$ sudo apt-get install nfs4-acl-tools acl

Now we can go through various usages of “setfacl” command. Firstly, we should create a folder called “test_folder” as root user.

root@linoxide:/home# mkdir test_folder

root@linoxide:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

1. Providing ACL for an individual User

Suppose, you want to give full access to the user “test” (it can be any user at all) on the directory “test_folder”. This can be done using setfacl as follows.

root@linoxide:/home# setfacl -m u:test:rwx test_folder/

root@linoxide:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x

2. Providing ACL for all users of a group

If you want to provide write access permission for all the users of the group “testg” to the folder “test_folder”, you can do it the following way.

root@linoxide:/home# setfacl -m g:testg:w test_folder/
  
root@linoxide:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
group:testg:-w-
mask::rwx
other::r-x

3. Revoking acl of a user/group

If you want to revoke the permissions that we’ve given for the user test and the group testg, you can use setfacl command as follows.

root@linoxide:/home# setfacl -x u:test,g:testg test_folder/

root@linoxide:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
group::r-x
mask::rwx
other::r-x

4. Copying ACL of one file/directory to another

Suppose, you want to have the same ACL set of test_folder on test_folder1 too, you can set it by copying the ACL as follows.

root@linoxide:/home# getfacl test_folder/ > acl.txt
root@linoxide:/home# mkdir test_folder1
root@linoxide:/home# setfacl -M acl.txt test_folder1/
root@linoxide:/home# getfacl test_folder1/
# file: test_folder1/
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
group:testg:-w-
mask::rwx
other::r-x

Conclusion

In this article, we have seen the basic usage of getfacl and setfacl tools for Access Control Lists to set and revoke some permissions to test_folder. We also learned how to check for Kernel and filesystem acl support and how to install the required packages. If you have any thoughts or comments about linux acl, please write it down in the comments section below.

Bobbin Zachariah 7:54 pm

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

3 Comments

  1. this works great for setting file or directory specific permissions recursively. just change the type option to d for directories.

    ***this example removes acl from all files below the path
    find /path/to/start/from -type f -exec setfacl -b {} +