Unix Access Control and ACLs.html
* created: 2026-05-06T18:03
* modified: 2026-05-06T18:19
title
Title
description
Description
Unix Access Control
Permission String Format
-/rwx/rw-/---
Each permission string has 4 sections:
| Section |
Example |
Meaning |
| File type |
- |
- = file, d = directory, l = symlink |
| Owner |
rwx |
read, write, execute |
| Group |
rw- |
read, write, no execute |
| Others |
--- |
no permissions |
Permission bits:
| Char |
Octal |
Meaning |
r |
4 |
Read |
w |
2 |
Write |
x |
1 |
Execute (or traverse for dirs) |
- |
0 |
Permission not set |
Octal shorthand: rwxr-xr-- → 754
Linux Access Control Lists (ACL)
Standard Unix permissions only allow one owner and one group. ACLs extend this, you can grant permissions to any user or group on a per-file basis.
# View ACL
getfacl file.txt
# Grant user alice read+write
setfacl -m u:alice:rw file.txt
# Grant group devs execute
setfacl -m g:devs:x script.sh
# Remove ACL entry
setfacl -x u:alice file.txt
# Remove all ACLs
setfacl -b file.txt
A + at the end of ls -l output (e.g. -rwxr-xr-x+) means an ACL is set.
ACL mask — limits the effective permissions for named users/groups (not the owner):
setfacl -m m:rx file.txt # mask: cap named entries to r-x
Default ACLs (directories only) — inherited by new files/subdirs:
setfacl -d -m u:alice:rw mydir/