An access control list (ACL) is a list of permissions attached to an object. ACLs can be used for situations where the traditional file permission concept does not suffice. ACLs enable you to assign permissions to individual users or groups even if these do not correspond to the object’s owner or group.
For example, members of two department groups may need different levels of access to the same resource. Group 1 might need r/w/x to a directory, whereas Group 2 only needs r/x access. By using ACLs, you are able to grant different levels of access to different users, groups, and even processes. ACLs enable a more granular level of control.
The getfacl command is used to retrieve the ACLs of files and directories. The basic output format of the getfacl command shows metadata about the object including its owner, its group, any SUID/SGID/sticky bit flags set, the standard permissions associated with the object, and the individual permission entries for users and groups.
If you want to see what are the ACL associated with the file, we can make use of the getfacl command. The syntax is quite simple:
# getfacl filename
Which gives the output as:
# file: filename # owner: geek # group: geek user::rw- user:andy:r-- user:bob:r-- user:james:rwx group::r-- mask::rwx other::r--
If you encounter below error while executing the getfacl command:
getfacl: command not found
you may try installing the below package as per your choice of distribution:
| Distribution | Command |
|---|---|
| Debian | apt-get install acl |
| Ubuntu | apt-get install acl |
| Alpine | apk add acl |
| Arch Linux | pacman -S acl |
| Kali Linux | apt-get install acl |
| CentOS | yum install acl |
| Fedora | dnf install acl |
| Raspbian | apt-get install acl |
getfacl Command Examples
1. To get the ACL’s of a file:
# getfacl /tmp/file.txt
2. To display the file access control list:
# getfacl -a /tmp/file.txt # getfacl --access /tmp/file.txt
3. To display the default access control list:
# getfacl -d /tmp/file.txt # getfacl --default /tmp/file.txt
4. To avoid displaying comment header:
# getfacl -c /tmp/file.txt # getfacl --omit-header /tmp/file.txt
5. To Print all effective rights comments:
# getfacl -e /tmp/file.txt # getfacl --all-effective /tmp/file.txt
6. To avoid printing effective rights:
# getfacl -E /tmp/file.txt # getfacl --no-effective /tmp/file.txt
7. To skip files that only have the base ACL entries:
# getfacl -s /tmp/file.txt # getfacl --skip-base /tmp/file.txt
8. To list the ACL’s recursively:
# getfacl -R /tmp # getfacl --recursive /tmp
9. To follow the symbolic links:
# getfacl -L /tmp/file.txt # getfacl --logical /tmp/file.txt
10. To avoid following the symbolic links:
# getfacl -P /tmp/file.txt # getfacl --physical /tmp/file.txt
11. To get the tabular output format:
# getfacl -t /tmp/file.txt # getfacl --tabular /tmp/file.txt
12. Do not strip leading slash characters:
# getfacl -p /tmp/file.txt # getfacl --absolute-names /tmp/file.txt
13. To list the numeric user and group IDs:
# getfacl -n /tmp/file.txt # getfacl --numeric /tmp/file.txt
14. To get the version of the getfacl:
# getfacl -v # getfacl -version
15. To get the help for getfacl:
# getfacl -h # getfacl --help