How to use getfacl and setfacl to get and set access control lists (ACLs) on directories in Linux

| | 3 min read

The command "setfacl" refers to Set File Access Control Lists and "getfacl" refers to Get File Access Control List. Each file and directory in a Linux filesystem is created with a specific set of file permissions for its access. Each user can have different set of file access permissions. The permissions can be set using the setfacl utility. In order to know the access permissions of a file or directory we use getfacl. The getfacl command displays the access permissions of files and directories with file name, owner, group and the ACL's(Access Control List). When we create a directory it is created with a default set of access permissions and by using getfacl we will be able to see the access rights.

What are the default access permissions for a newly created directory?

To know this, first open a terminal and open the folder in which you want to create a subfolder. Next type "mkdir <folder-name>" and press the ENTER key. This will create a folder with default access permissions. To know the access permissions, type

getfacl <folder-name>

Now you will see the output of getfacl as something like the following:

# file: file-name
# owner:
# group: 
user::rwx
user:x:---
user:y:r--
group::r--
mask::rw-
other::---

Thus from the output of getfacl we will be able to see the access permissions of a file. In the above example, when we type getfacl <file-name>

the output will be shown as in the above format. It displays the owner of the file, the group which has access to it and also its various users and their access rights. In the above case the users are x and y, where the user 'x' is having no permission on this file and therefore it is shown with --- symbol indicating no read/write/execute permissions for the user x. Now considering the other user 'y’, it is having the permission r-- which means read-only rights. The default umask is set to rw- (read/write permissions).

How to copy the ACL of one folder to other?

Consider an example of copying the ACL of the directory named "x" to "y". For this, firstly we should know the ACL of the directory named "x". To obtain this type the command

getfacl x

This will display the ACL of the directory named "x" in the above mentioned format:

# file: x
# owner:
# group:
user::rwx
user:x:---
user:y:r--
group::r--
mask::rw-
other::---

To copy the ACL of one directory to the other we use the setfacl command. That is

setfacl --setfile =- y

As mentioned we want to copy the ACL of "x" to "y", for this we have to type the command

getfacl x | setfacl -R –setfile = -y

Here "getfacl x" will get the ACL of the directory named "x" and this output is given to the setfacl command using pipe. Thus getfacl will give the ACL of the directory "x" and

setfacl -R –setfile = -y

will set that ACL to the directory named "y". "-R" is used to set this ACL recursively.

How to inherit the ACL of parent directory to its child?

To copy the ACL of the parent directory to its child, use the following command

getfacl . | setfacl -R --setfile = -subdirectory_name

The "getfacl ." will get the ACL of the parent directory and setfacl will set that ACL to its sub-directories. Now for verification, type:

getfacl subdirectory_name

and also

getfacl directory_name

If both are same then the ACL of the sub-directory is same as the ACL of the parent.