Access Control Lists(ACL) in Linux 🔒

Stop fighting chmod: Meet Linux ACLs (Access Control Lists)

đŸ’„ How often do you use ACL in Linux?

Traditional permissions (owner/group/other) are great - until you need to grant special access to a single person without changing ownership or groups.

That’s precisely what ACLs do: they let you “tack on” precise per-user or per-group permissions while keeping your base perms intact. They extend, not replace, standard UNIX permissions, and you manage them with setfacl/getfacl.

Overview commands

setfacl: Used to set ACL entries
getfacl: Used to retrieve and display ACL entries.

Examples:

getfacl /etc/resolv.conf

Output:

# file: /etc/resolv.conf
# owner: root
# group: root
user::rw-
group::rw-
other::r--

Grant read-only access to user garrett:

setfacl -m u:garrett:r-- /etc/resolv.conf

Deny all permissions for user kenny:

setfacl -m u:kenny:--- /etc/resolv.conf

đŸ˜ș 15‑second cheat sheet

  • See what’s set: getfacl /path/to/file_or_dir
  • Give a user access: setfacl -m u:kenny:r-x /accounting
  • Give a group access: setfacl -m g:sales:rw /reports/q4.csv
  • Default ACLs for new items in a directory: setfacl -d -m g:sales:rw /share
  • Remove an entry: setfacl -x u:kenny /accounting

đŸ˜Œ Pro tips

  • Effective permissions can be limited by the ACL mask; getfacl shows this with “#effective”.
  • Default ACLs on a directory apply to new files and subdirectories created there.
  • Start with sensible base perms; use ACLs for exceptions and audits, not as a substitute for good group design.

đŸ˜» Use case you’ll actually need

  • Give an intern read-only access to a sensitive folder without reassigning ownership.
  • Allow the sales group to write invoices, but keep other accounting reports private.
  • Grant a CEO temporary read/write to a specific subfolder—no group juggling required.

Your move. If you’ve ever duplicated data or reshuffled groups to grant one person access, ACLs will save you time and risk.