How to Set Linux ACL using Setfacl and Getfacl

The Linux command setfacl allows users to set extensive Access Control Lists on files and directories. Normally, using chmod command, you will be able to set permissions for the owner/group/others. But, in case you may need to provide file permissions for some other users too, that can’t be done using chmod. Setfacl will assist you to get rid of such troubles.

For example, we cannot set up different permission sets for different users on same directory or file. Thus, Access Control Lists (ACLs) were implemented. You can view the current “acl” set on files and directories using getfacl command.

In order to use setfacl on a file/directory, the residing filesystem should have acl support enabled. If the filesystem doesn’t support acl, you will get “operation not supported” error. In that case, you need to add acl support to the filesystem in /etc/fstab as follows and then remount the filesystem.

Check if Kernel has ACL Support

Run the following command to check for ACL Support for file system and POSIX_ACL=Y option (if there is N instead of Y, then it means Kernel doesn’t support ACL and needs to be recompiled).

[email protected]:/home# grep -i acl /boot/config*
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_HFSPLUS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

Checking if the filesystem supports ACL

You can try this with:

$ cat /etc/fstab

On some systems looking at fstab will not show you if the filesystem supports acl, but rather display just "defaults" as the mount options:

[email protected]:/home# cat /etc/fstab
LABEL=cloudimg-rootfs	/	 ext4	defaults	0 0

In that case you can use the following command to check if the filesystem is mounted with acl support:

[email protected]:/home# tune2fs -l /dev/sda1
tune2fs 1.42.9 (4-Feb-2014)
Filesystem volume name:   cloudimg-rootfs
Last mounted on:          /
Filesystem UUID:          2e294961-ce03-483e-a53e-ff3fc4514bd4
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags:         signed_directory_hash 
Default mount options:    user_xattr acl

If your filesystem has not been mounted with the ‘acl’ option, you can re-mount it giving the needed option:

# mount -o remount -o acl /dev/sda1

Check for Required Packages

To use Linux ACLs make sure that you have required packages installed. Below are the required packages that need to be installed using yum or apt-get.

For RedHat based systems:

$ sudo yum install nfs4-acl-tools acl libacl

For Debian based:

$ sudo apt-get install nfs4-acl-tools acl

Now we can go through various usages of “setfacl” command. Firstly, we should create a folder called “test_folder” as root user.

[email protected]:/home# mkdir test_folder

[email protected]:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

1. Providing ACL for an individual User

Suppose, you want to give full access to the user “test” (it can be any user at all) on the directory “test_folder”. This can be done using setfacl as follows.

[email protected]:/home# setfacl -m u:test:rwx test_folder/

[email protected]:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x

2. Providing ACL for all users of a group

If you want to provide write access permission for all the users of the group “testg” to the folder “test_folder”, you can do it the following way.

[email protected]:/home# setfacl -m g:testg:w test_folder/
  
[email protected]:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
group:testg:-w-
mask::rwx
other::r-x

3. Revoking acl of a user/group

If you want to revoke the permissions that we’ve given for the user test and the group testg, you can use setfacl command as follows.

[email protected]:/home# setfacl -x u:test,g:testg test_folder/

[email protected]:/home# getfacl test_folder/
# file: test_folder/
# owner: root
# group: root
user::rwx
group::r-x
mask::rwx
other::r-x

4. Copying ACL of one file/directory to another

Suppose, you want to have the same ACL set of test_folder on test_folder1 too, you can set it by copying the ACL as follows.

[email protected]:/home# getfacl test_folder/ > acl.txt
[email protected]:/home# mkdir test_folder1
[email protected]:/home# setfacl -M acl.txt test_folder1/
[email protected]:/home# getfacl test_folder1/
# file: test_folder1/
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
group:testg:-w-
mask::rwx
other::r-x

Conclusion

In this article, we have seen the basic usage of getfacl and setfacl tools for Access Control Lists to set and revoke some permissions to test_folder. We also learned how to check for Kernel and filesystem acl support and how to install the required packages. If you have any thoughts or comments about linux acl, please write it down in the comments section below.

Bobbin Zachariah 7:54 pm

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

3 Comments

  1. this works great for setting file or directory specific permissions recursively. just change the type option to d for directories.

    ***this example removes acl from all files below the path
    find /path/to/start/from -type f -exec setfacl -b {} +