Quick take: ACLs give fine-grained permissions beyond owner/group/other. Use setfacl -m u:alice:rw file to grant alice read-write, getfacl file to view the ACL, and -d to set defaults that new files inherit.
Introduction
The standard Linux permission model has only three classes — owner, group, and others — which is sometimes too coarse. Access Control Lists (ACLs) add per-user and per-group permissions on top. The setfacl command sets them and getfacl displays them, giving precise control over who can access what.
Syntax
The basic syntax of the setfacl and getfacl command is:
setfacl [OPTIONS] ACL FILE
getfacl FILECommon Options and Parameters
The most useful options and parameters for the setfacl and getfacl command:
| Option | Description |
|---|---|
| -m u:user:perms | Modify — grant a user specific permissions. |
| -m g:group:perms | Grant a group specific permissions. |
| -x u:user | Remove a user's ACL entry. |
| -b | Remove all ACL entries. |
| -R | Apply recursively to a directory tree. |
| -d | Set a default ACL that new files inherit. |
| getfacl FILE | Display the ACL of a file or directory. |
Practical Examples
Real setfacl and getfacl commands you can run today:
# Grant a user read-write on a file
setfacl -m u:alice:rw report.txt
# Grant a group read-execute on a directory
setfacl -m g:devs:rx /srv/project
# View a file's ACL
getfacl report.txt
# Set a default ACL so new files inherit it
setfacl -d -m g:devs:rwx /srv/project
# Apply recursively
setfacl -R -m g:devs:rx /srv/project
# Remove all ACLs
setfacl -b report.txtTips and Best Practices
- A
+at the end ofls -lpermissions (rw-r--r--+) signals that a file has an ACL — rungetfaclto see it. - Use a default ACL (
-d) on a shared directory so every new file automatically inherits the right group access. - ACLs require the filesystem to be mounted with ACL support, which is the default on modern ext4 and xfs.
Final Thoughts
ACLs, managed with setfacl and getfacl, extend Linux permissions beyond the basic three classes to per-user and per-group rules. They shine on shared directories, especially with default ACLs that propagate access to new files. When owner/group/other is not enough, ACLs provide the precision — look for the + in ls -l to spot them.
FAQ: setfacl and getfacl Command in Linux
What is an ACL in Linux?+
An Access Control List adds per-user and per-group permissions on top of the standard owner/group/other model, letting you grant specific people access to a file without changing its ownership.
How do I grant a specific user access to a file?+
Use setfacl -m u:username:rw file to give that user read-write access. View the result with getfacl file.
How do I view a file's ACL?+
Run getfacl file, which lists the owner, group, and any extra user or group entries with their permissions.
How do I make new files inherit permissions in a folder?+
Set a default ACL on the directory: setfacl -d -m g:team:rwx /path. New files created there automatically receive that group access.
How do I know if a file has an ACL?+
ls -l shows a + after the permission bits (for example rw-r--r--+) when a file has an ACL. Run getfacl to see the details.
Need help with Linux servers or infrastructure?
Work directly with Muhammad Irfan Aslam for Linux, Ubuntu, Docker, DevOps, cloud, CI/CD, or infrastructure support.
Hire Me for Support