Mastering Linux ACLs: Beyond Standard Permissions

To understand Access Control Lists (ACLs), you first need to understand the standard Linux permission system—and where it fails. While the classic model is robust, it often hits a “brick wall” in complex environments.

The Standard Problem: “User, Group, Others”

Normally, every file in Linux has exactly three layers of permissions (the UGO model):

User (Owner): Usually has full control.
Group: A specific group of users with shared rights.
Others: Everyone else on the system.

The Dilemma: What if you want to give write access to two different users who aren’t in the same group? Or give one group read-only access and another group full write access?

With the standard system, you would have to open permissions to “Others” (a security risk) or create highly complex nested groups.

The Solution: ACLs (The “Guest List”)

ACLs act like an extended guest list for your files and folders. They break the “one user, one group” rule. With ACLs, you can define:

The Owner can read & write.
The group “web-devs” can write.
The user “intern” can only read.
The user “backup-bot” can read.
Everyone else has zero access.

Technical Background: The “Hidden” Plus Sign

ACLs store additional metadata directly in the filesystem (at the Inodes). When you activate an ACL on a file, the standard file list (ls -l) changes slightly.

Standard: -rwxr-xr-x root root file.txt

With ACL: -rwxr-xr-x+ root root file.txt

The small + at the end of the permission string signals: “There are additional rules (ACLs) active here that you can’t see right now.”

Installation & Basic Usage

On modern Linux systems (Ubuntu, Debian, CentOS), ACL tools are almost always pre-installed. If not, you can get them via: sudo apt-get install acl

There are two primary commands you need to know:

getfacl: To view permissions.
setfacl: To modify permissions.

Viewing Permissions (`getfacl`)

To see who actually has access to a file, use:


getfacl my-file.txt

The output will look like this:


# file: my-file.txt
# owner: root
# group: root
user::rw-
user:tom:rwx   <-- The specific ACL user
group::r--
mask::rwx
other::r--

Note

ACL Mask (mask::)

The mask limits the effective permissions of all named ACL users and groups (except the owner).

Effective rights = ACL entry ∩ mask

Typical problem: A user has rwx, but #effective:r-x → Writing blocked → “File does not exist.”

Fix for e.g. upload/web server problems:


setfacl -m m::rwx .

Only opens the mask.
Does not add new users.
Only removes artificial write blocks.

Setting Permissions (`setfacl`)

The command follows this logic: setfacl -m [type]:[name]:[permissions] [file] (Note: -m stands for modify).

Give a specific user access:


# Grant user 'tom' read and write (rw)
setfacl -m u:tom:rw file.txt

Give a specific group access:


# Grant group 'developers' full access (rwx)
setfacl -m g:developers:rwx file.txt

Recursive Application

If you want to apply changes to a folder and all files inside it, use the -R flag:


setfacl -R -m u:tom:rwx /var/www/html

Pro Feature: Inheritance (Default ACLs)

This is where many administrators struggle. If you set permissions on a folder, they don’t automatically apply to files created tomorrow.

For this, we use Default ACLs (d:). They act like the “genetic code” of a folder. Every new file or subfolder created inside will automatically inherit these rules.

The Command:


# Every NEW file in the 'project' folder will automatically grant 'tom' rwx rights.
setfacl -m d:u:tom:rwx /var/www/project

Practice Tip: Usually, you run both commands. One to fix the current files, and one to ensure the future is secure:

setfacl -R -m u:tom:rwx /my/folder (Current)

setfacl -R -m d:u:tom:rwx /my/folder (Future)

Removing Permissions

You can remove specific rules or wipe the slate clean.

Remove a specific user (-x for exclude):


setfacl -x u:tom file.txt

Remove all ACLs completely (-b for base/blank):


setfacl -b file.txt

This returns the file to standard Linux permissions.

Admin Cheat Sheet

Command / Flag	Meaning
`getfacl [file]`	Shows all permissions (including hidden ACLs).
`setfacl -m u:user:rwx`	Sets/Modifies rights for a user.
`setfacl -x u:user`	Removes rights for a specific user.
`setfacl -b`	Deletes all ACLs (returns to standard).
`-R`	Recursive (applied to folders and subfolders).
`d:` (e.g., `d:u:user:rwx`)	Default (Inheritance for future files).

Summary

ACLs build a bridge so that system services (like www-data) and human users can work together in the same directory peacefully without locking each other out. They are the essential tool for any Linux administrator dealing with multi-user environments.

Created: 04.01.2026

Last Updated: 05.01.2026