Create access control entries using the SETFACL command in Linux

Home > Search > Linux commands
  by

The setfacl command can be used to set access control entries (ACE) for users or groups. Access control entries are typically used when two or more users or groups need access to a file or directory, where each user or group will require their own unique permissions. For example, perhaps members of group1 should have read, write, and execute permission to /var/www/html, and members of group2 should have read and execute, but not write permission, to /var/www/html.

 


Configure the disk to use access control lists

In /etc/fstab, add the acl option to the disks you want to have access control entries. In this example, acl is set on the / file system.

/dev/mapper/base-root  /   xfs   acl   0   0

 


Add access control entry

The -m (modify) and g (group) options can be used to set access control entries for a group. In this example, group1 is assigned read, write, and execute permission to /var/www/html, and group2 is assigned read and execute permission to /var/www/html.

~]# setfacl -m g:group1:rwx /var/www/html
~]# setfacl -m g:group2:r-x /var/www/html

 

The -R (recursive) option sets the access control entries for every file at and below the specified directory.

~]# setfacl -R -m g:group1:rwx /var/www/html
~]# setfacl -R -m g:group2:r-x /var/www/html

 

The -d option sets default access control entry.

~]# setfacl -d -m g:group1:rwx /var/www/html
~]# setfacl -d -m g:group2:r-x /var/www/html

 


Remove access control entry

The -x (remove) and g (group) options can be used to remove access control entries for a group. In this example, the read, write, and execute permission to /var/www/html are removed for group1, and the read and execute permission to /var/www/html are removed for group2.

~]# setfacl -x g:group1:rwx /var/www/html
~]# setfacl -x g:group2:r-x /var/www/html

 

The -b or --remove-all option can be used to remove all access control entries from a file or directory.

~]# setfacl -b /var/www/html

 


User

To add or remove access control entries for a user, instead of using the g (group) option, use the u (user) option.

~]# setfacl -m u:JohnDoe:rwx /var/www/html
~]# setfacl -m u:JaneDoe:r-x /var/www/html

 


Viewing access control entries

The getfacl command will display the access control entries for a directory. 

~]# getfacl /var/www/html
# file: /var/www/html
#owner: root
#group: root
user: rwx
user: JohnDoe: rwx
user: JaneDoe: r-x
group: r-x
group: group1: rwx
group: group2: r-x
other: r-x

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments