🎉 NEW YEAR SALE! 40% OFF on Annual Premium+ Plan - Till 31st Dec! Use SUPERSALE40 Shop Now →

How to Use setfacl and getfacl: ACLs Made Simple

Published On: 9 January 2026

Objective 

Access control is one of the most important parts of Linux system administration, yet many users still rely only on basic file permissions. Traditional read, write, and execute permissions work fine in simple situations, but they fall short when you want to give different levels of access to different users or groups. This is where Access Control Lists (ACLs) become useful. ACLs allow you to go beyond regular permissions and apply finer control. In this guide, you will learn how to use the setfacl and getfacl commands in a simple and practical way so that you can manage ACLs with confidence.

What Are ACLs and Why They Matter

ACL stands for Access Control List. It gives you the ability to assign special permissions to specific users or groups on a file or directory. Without ACLs, you are limited to permissions for the file owner, the group, and everyone else. This makes ACLs extremely useful when you want to give access to someone who is not the owner and not part of the group. ACLs help avoid unnecessary group changes or changing ownership of files, keeping permission management flexible and better suited for multi-user environments. Many companies and production environments rely on ACLs because they help maintain security without breaking existing setups. ACLs also make system administration cleaner and more organized since you can assign very specific permissions without touching the original ownership structure.

How ACLs Work in Linux

  • ACLs in Linux work alongside regular permissions, extending them rather than replacing them. When a file has ACL entries, the operating system considers both the standard owner/group/other bits and the ACL entries when deciding who can access the file.
  • ACLs can be applied to both directories and files. When applied to directories, ACLs can also control permissions that new files inherit when they are created inside the directory.
  • You can view, add, modify, and remove ACLs using two main commands: getfacl and setfacl. The getfacl command shows you what ACLs exist on a file or directory, while setfacl allows you to add or remove ACL entries. These tools are standard on almost all enterprise Linux systems, including RHEL, CentOS, Rocky Linux, and Ubuntu.

Checking ACL Support on a File System

Before working with ACLs, it is good to confirm that your file system supports them. Most modern file systems like ext4, XFS, and Btrfs support ACLs by default, though some legacy setups may have ACLs as an explicit mount option.

  • You can inspect mount options using the mount command:
mount | grep acl    # check if filesystem mentions ACL support
  • If ACL support is explicitly disabled on an older system, you may have to remount with ACLs enabled. For example:
mount -o remount,acl /home    # enable ACLs on /home (legacy scenarios)

On most modern systems, ACLs are already enabled by default, but understanding these options is still useful for troubleshooting.

Viewing ACLs with getfacl

The getfacl command displays the ACL entries for any file or directory. It clearly shows the owner, group, basic permissions, and any extended ACL permissions, making it easy to audit who has access.

  • Basic command to view ACLs
getfacl filename    # show ACLs of a file
  • Example:
getfacl /data/report.txt   # view ACL entries

If the file has no ACL entries, you will only see the basic owner and group permissions. When ACLs exist, you will see additional entries such as user, group, and mask lines.

  • Viewing ACLs on directories
getfacl /shared   # show ACLs on a directory

Directories often contain default ACLs that new files inherit. The getfacl output shows both the access ACL (for the directory itself) and any default ACLs that apply to new files created inside it.

Setting ACLs with setfacl

The setfacl command is used to assign, modify, or remove ACL entries. Once you understand a few basic options, managing ACLs becomes straightforward.

  • Giving a user permissions on a file

Suppose you want to give read permission on a file to a user named raj:

setfacl -m u:raj:r file.txt   # give read permission to user raj
  • To allow read and write access:
setfacl -m u:raj:rw file.txt   # allow user raj to read and write
  • Giving ACL permissions to a group

If you want a group named developers to have read and execute permission on a script:

setfacl -m g:developers:rx script.sh   # give rx permission to developers group
  • Removing ACL permissions

To remove a specific ACL entry for a user:

setfacl -x u:raj file.txt   # remove ACL entry for raj
  • To remove all ACLs from a file and reset it back to basic owner/group/other permissions:
setfacl -b file.txt   # remove all ACLs

Understanding the ACL Mask

The mask entry in an ACL often confuses beginners. The mask defines the maximum allowed permissions for all ACL users and groups (except the file owner), effectively acting as a permissions ceiling. Even if you assign full rwx permissions to a user through an ACL, the effective permission they receive is limited by the mask. For example, if the mask is set to r-x and you give a user rwx, they still only get r-x in practice. The mask is often adjusted automatically when you change ACLs, but you can also set it manually when troubleshooting.

  • Changing the mask manually
setfacl -m m:rw file.txt   # set ACL mask to rw

Always check the mask entry when ACLs appear correct but users still cannot access files as expected.

Default ACLs on Directories

Default ACLs apply only to directories. They define the permissions that new files or subdirectories inherit when they are created inside that directory, which is very useful for shared project trees.

  • Setting default ACLs for users

To give read and write permission to raj on all new files created inside /project:

setfacl -m d:u:raj:rw /project    # set default ACL for raj
  • Setting default ACLs for groups

To give the developers group read and write access on all new files in /project:

setfacl -m d:g:developers:rw /project    # default rw for developers group
  • Viewing default ACLs
getfacl /project    # shows access and default ACLs

Default ACLs save time and ensure consistent permissions, especially in shared working directories where many users collaborate.

Practical Real-World Examples

Here are some common situations where ACLs are extremely useful in daily Linux administration.

1. Allowing a specific user temporary access

If you want to give a user temporary full access to a configuration file:

setfacl -m u:john:rwx config.yaml   # temporary full access for john

After the work is complete, simply remove the ACL entry:

setfacl -x u:john config.yaml   # remove access for john

2. Shared project directory for a team

Teams often work inside a shared directory. Instead of constantly changing group ownership, apply ACLs at the directory level:

setfacl -m g:devteam:rwx /teamdata
setfacl -m d:g:devteam:rwx /teamdata   # default ACLs for new files

This ensures that every new file created inside /teamdata inherits the correct permissions for the devteam group.

3. Troubleshooting permission issues

If file permissions look correct but a user still cannot access the file, check the ACLs and mask:

getfacl filename      # inspect ACL entries and mask
setfacl -m m:rwx filename   # adjust mask if required

In many real-world cases, the mask silently restricts access even though individual ACL entries seem generous.

ACLs and Backup or Copy Operations

When copying files or directories that use ACLs, not every tool preserves ACL information by default. To make sure ACLs remain intact, use options that preserve extended attributes.

A simple and widely used approach is the archive option:

cp -a dir1 dir2   # preserve attributes, including ACLs where supported

The -a option implies recursive copy and attempts to preserve permissions, ownership, timestamps, and ACLs on supported file systems, making it ideal for backups.

Removing All ACLs from a Directory Tree

Sometimes you may want to clean a directory tree and remove every ACL inside it, returning everything to basic Unix permissions. You can combine find with setfacl for this.

find /project -exec setfacl -b {} \;   # remove ACLs from all files and directories

This recursively resets ACLs in /project, leaving only the standard owner, group, and other permission bits.

Common Mistakes with ACLs

ACLs are powerful, but a few common mistakes often cause confusion for beginners and even experienced administrators.

  • Forgetting the mask: Many people set ACL entries correctly but forget to check the mask. The mask acts as a limit on the maximum permissions granted to ACL users and groups, so an overly restrictive mask can silently block access.
  • Assuming default ACLs apply to old files: Default ACLs only affect files created after the default is set. Existing files in the directory keep their current permissions unless you update them manually or apply ACLs recursively.
  • Using chmod after setting ACLs: Using chmod after you carefully configure ACLs can change the mask or override aspects of your ACL configuration. A cleaner workflow is to set basic permissions first and then apply ACLs to refine access.
  • Confusing normal ACLs with default ACLs: Normal ACLs apply directly to files or directories and control current access. Default ACLs apply only to directories and affect new items created inside them. Mixing these concepts leads to surprises when new files do not behave as expected.

Verifying Effective Permissions

Even when ACLs are set, you may want to verify what a specific user can actually do. The getfacl output helps, but the namei command gives a clear breakdown of path-level permissions.

namei -l /path/to/file   # check permissions on each path component

This command shows permissions on every directory in the path, making it easier to spot where access is blocked.

Conclusion

Understanding ACLs through setfacl and getfacl gives you much better control over how files and directories are shared in a Linux environment. ACLs bring flexibility, reduce permission conflicts, and help avoid complicated ownership or group changes in shared setups. To practice these concepts hands-on and align them with RHCSA-level tasks, you can follow a structured lab here: https://linuxcert.guru/?name=rh134-control-access-acl. This will help reinforce ACL management skills in a real-world, exam-focused environment.