Learn how to use setfacl to fine-tuned files and folders access permissions for specific users.

setfacl (from acl package) lets you to restrict access permissions for a user or group. These permissions need to be more restrictive than those you set with chmod, therefore it’s a useful way to restrict read, write or execute permissions for specific users or groups.

Example

Let’s assume that we have this folder and file permissions:

$ ls -ld
drwxr-xr-x 2 ricardo ricardo 4096 nov  6 12:11 .
$ ls -l
total 4
-rw-r--r-- 1 ricardo ricardo 5 nov  6 12:11 test.txt

Any user can read test.txt because the folder is readable and executable for everyone and test.txt is readable for everyone. We don’t want a user called “juan” to be able to read the file. We can use setfacl to achieve this:

# run as root or with sudo
setfacl -m u:juan:- test.txt

Command structure

Structure for the setfacl command is:

  • Set permissions for a user:
    setfacl -m u:<user>:<permissions> <file or folder>
    
  • Set permissions for a group:
    setfacl -m g:<group>:<permissions> <file or folder>
    
  • Remove an entry:
    setfacl -x u:<user> <file or folder>
    

<permissions> are the same you use in chmod: r, w and x. If you put -, this means the user/group doesn’t have any permissions on the file/folder.

setfacl -m u:juan:rw file.txt
setfacl -m g:team:rx folder

getfacl

You can get the permissions for a file or folder with getfacl:

$ getfacl test.txt 
# file: test.txt
# owner: ricardo
# group: ricardo
user::rw-
user:juan:---
group::r--
mask::r--
other::r--