setfacl Command
Advanced Permissions & Ownership man(1)Set file access control lists for fine-grained permissions
👁 11 views
📅 Updated: Mar 15, 2026
SYNTAX
setfacl [OPTION]... ACL_SPEC FILE...
What Does setfacl Do?
setfacl sets Access Control Lists (ACLs) on files and directories. ACLs provide fine-grained permissions beyond the basic owner/group/other model, allowing specific permissions for individual users and groups.
setfacl is invaluable when you need to grant access to specific users without changing file ownership or creating new groups. It supports user ACLs, group ACLs, and default ACLs (which are inherited by new files).
Default ACLs on directories are particularly useful — they ensure that new files and subdirectories automatically inherit the specified permissions.
setfacl is invaluable when you need to grant access to specific users without changing file ownership or creating new groups. It supports user ACLs, group ACLs, and default ACLs (which are inherited by new files).
Default ACLs on directories are particularly useful — they ensure that new files and subdirectories automatically inherit the specified permissions.
Options & Flags
| Option | Description | Example |
|---|---|---|
| -m | Modify (set) ACL entry | setfacl -m u:alice:rw file.txt |
| -x | Remove ACL entry | setfacl -x u:alice file.txt |
| -b | Remove all ACLs | setfacl -b file.txt |
| -d | Set default ACL (for directories) | setfacl -dm u:alice:rwx /shared/ |
| -R | Recursive | setfacl -Rm g:devs:rwx /project/ |
| --restore | Restore ACLs from backup | setfacl --restore=acl_backup.txt |
Practical Examples
#1 Grant user access
Gives alice read-write access to the file, regardless of group membership.
$ setfacl -m u:alice:rw document.txt#2 Grant group access
Gives the contractors group read-execute access.
$ setfacl -m g:contractors:rx /opt/app/#3 Set default ACL
New files in this directory will automatically inherit alice rwx access.
$ setfacl -dm u:alice:rwx /shared/project/#4 Remove user ACL
Removes the ACL entry for alice.
$ setfacl -x u:alice file.txt#5 Remove all ACLs
Strips all ACL entries, reverting to standard permissions only.
$ setfacl -b file.txt#6 Recursive group access
Grants full access to webteam group on all files recursively.
$ setfacl -Rm g:webteam:rwx /var/www/project/#7 Complete shared directory
Sets access on existing files AND ensures new files inherit the same ACL.
$ setfacl -Rm g:devs:rwx /shared/ && setfacl -dm g:devs:rwx /shared/Tips & Best Practices
Default ACLs for inheritance: setfacl -dm sets default ACLs on directories. New files automatically inherit these permissions. Essential for shared directories.
Mask limits effective permissions: The ACL mask limits the maximum permissions for named users and groups. Check with getfacl if permissions seem wrong.
ACL syntax: u:user:perms for user ACL. g:group:perms for group ACL. o::perms for others. d: prefix for default ACLs.
Frequently Asked Questions
How do I give a specific user access to a file?
setfacl -m u:username:rw filename. This grants access without changing ownership or group.
How do I make new files inherit permissions?
Set default ACLs on the directory: setfacl -dm u:alice:rwx /shared/. New files automatically get these ACLs.
How do I remove all ACLs?
setfacl -b filename removes all ACL entries. setfacl -x u:username filename removes a specific entry.
Related Commands
More Permissions & Ownership Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books →