Installation guide
Chapter 16. Access Control Lists
102
3. Via the effective rights mask
4. For users not in the user group for the file
The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of
a file or directory:
setfacl -m rules files
Rules (rules) must be specified in the following formats. Multiple rules can be specified in the same
command if they are separated by commas.
u:uid:perms
Sets the access ACL for a user. The user name or UID may be specified. The user may be any
valid user on the system.
g:gid:perms
Sets the access ACL for a group. The group name or GID may be specified. The group may be
any valid group on the system.
m:perms
Sets the effective rights mask. The mask is the union of all permissions of the owning group and
all of the user and group entries.
o:perms
Sets the access ACL for users other than the ones in the group for the file.
Permissions (perms) must be a combination of the characters r, w, and x for read, write, and execute.
If a file or directory already has an ACL, and the setfacl command is used, the additional rules are
added to the existing ACL or the existing rule is modified.
For example, to give read and write permissions to user andrius:
setfacl -m u:andrius:rw /project/somefile
To remove all the permissions for a user, group, or others, use the -x option and do not specify any
permissions:
setfacl -x rules files
For example, to remove all permissions from the user with UID 500:
setfacl -x u:500 /project/somefile
16.3. Setting Default ACLs
To set a default ACL, add d: before the rule and specify a directory instead of a file name.
For example, to set the default ACL for the /share/ directory to read and execute for users not in the
user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /share
16.4. Retrieving ACLs
To determine the existing ACLs for a file or directory, use the getfacl command. In the example
below, the getfacl is used to determine the existing ACLs for a file.