When it comes to managing file permissions in Linux, Access Control Lists (ACLs) provide a powerful and flexible way to grant or restrict access beyond the traditional owner, group, and others settings. In this article, we’ll understand how you can view ACL permissions on a file in Linux, using various command examples.

Checking ACL Permissions with getfacl

The primary command for viewing ACL permissions in Linux is getfacl. This command displays the Access Control List for a given file or directory.

getfacl example.txt

The output of the getfacl command depends on the specific file or directory you are inspecting. However, I can provide you with a general example of what the output might look like. Let’s say you run getfacl on a file named example.txt:

$ getfacl example.txt
# file: example.txt
# owner: user1
# group: users
user::rw-
user:user2:r--
group::r--
mask::rwx
other::---

In this example:

• The file is named example.txt.
• The owner is user1, and the group is users.
• The owner has read and write permissions (user::rw-).
• user2 has only read permissions (user:user2:r--).
• The group has read-only permissions (group::r--).
• The mask (mask::rwx) is set to the maximum permissions allowed, indicating the effective permissions.
• Others have no permissions (other::---).

This output provides a detailed breakdown of the file’s ACL permissions for the owner, specific users, group, and others. The actual output may vary based on the existing permissions and ACL settings of the file you are inspecting.

Viewing ACL Permissions Verbosely

To get a more comprehensive view of the ACL permissions, you can use the -v option with getfacl.

getfacl -v filename

This will display not only the permissions but also additional information, such as the access mask and the default ACL if one exists.

Checking ACL Permissions Recursively

If you want to examine ACL permissions for a directory and its contents recursively, you can use the -R option.

getfacl -R directory

Replace directory with the path to the directory you want to inspect. This command will provide a detailed breakdown of ACL permissions for all files and subdirectories within the specified directory.

Interpreting the Output

Interpreting the output of ACLs (Access Control Lists) in Linux can initially seem complex, but breaking down the information provided by the getfacl command makes it more understandable. Let’s go through each section of the output:

File Information Section

The file information section in the output of ACLs (Access Control Lists) generated by the getfacl command provides essential details about the file being examined. This section includes metadata such as the file path, owner, and group. Here’s a breakdown of the components typically found in the file information section:

# file: example.txt
# owner: user1
# group: users

• File Path: Indicates the path or name of the file (example.txt).
• Owner: Specifies the user who owns the file (user1).
• Group: Specifies the group associated with the file (users).

User and Group Entries

In the context of ACLs (Access Control Lists) in Linux, user and group entries in the output of the getfacl command provide detailed information about the permissions granted to specific users and groups for a particular file. Let’s break down these entries:

user::rw-
user:user2:r--
group::r--

• User (owner) Entry (user::rw-): Describes the permissions for the owner (user1). In this example, the owner has read and write permissions (rw-).
• User (specific user) Entry (user:user2:r--): Specifies permissions for a specific user (user2). Here, user2 has read-only permissions (r--).
• Group Entry (group::r--): Indicates permissions for the group (users). In this case, the group has read-only permissions.

Mask Entry

the “Mask Entry” plays a crucial role in determining the effective permissions for users and groups. The mask is a part of the output generated by the getfacl command and is represented in the following format:

mask::rwx

• Mask Entry (mask::rwx): Represents the maximum permissions that can be granted by the ACL entries. It influences the effective permissions for users and groups. In this example, the mask is set to rwx (read, write, execute).

Other Entry

other::---

• Other Entry (other::---): Denotes permissions for all other users who are not the owner, a specified user, or part of the designated group. In this example, others have no permissions (---).

Interpreting Permissions

• Permissions are represented by a combination of letters:
• r: Read
• w: Write
• x: Execute
• –: No permission

In summary, for the file example.txt:

• The owner (user1) has read and write permissions.
• A specific user (user2) has read-only permissions.
• The group (users) has read-only permissions.
• The effective permissions are determined by the mask (rwx).
• Others have no permissions.

Modifying ACL Permissions with setfacl

To modify ACL permissions, you can use the setfacl command. For example, to grant read and write permissions to a specific user:

setfacl -m u:username:rw filename

Replace username with the actual username and filename with the file you want to modify.

Removing ACL Permissions

If you need to remove ACL permissions, the -x option with setfacl can be employed.

setfacl -x u:username filename

This command removes specific ACL entries for the specified user.

Conclusion

Access Control Lists provide a flexible and granular approach to managing file permissions in Linux. Utilizing commands like getfacl and setfacl can easily help you view and modify ACL permissions, enhancing the security and control over your files and directories on Linux

RECOMMENDED READING:

• Difference between Traditional Linux permissions and ACL
• How to set up Access Control Lists (ACL) in Linux
• How to remove ACL from a file in Linux?