Fedora Linux

permissions

The permissions granted by the entry; any combination of r (read), w (write), and x (execute). When displayed by the getfacl command, the permissions are always shown in rwx order, and permissions that are not granted are replaced with a dash.

To modify the ACL, use the setfacl command with the -m (modify) option. This command will limit the user thomas to just reading the file test :

$ setfacl -m user:thomas:r test
$ getfacl test
# file: test
# owner: chris
# group: chris
user::rw-
user:thomas:r--
group::rw-
mask::rw-
other::r--

This additional ACL entry shows up on a line of its own. Notice that a mask entry is now displayed, showing the maximum permission available to users and groups identified by a qualifier; this mask value corresponds to the group permission of the traditional Linux permission mode, as displayed by ls .

When ls is used to display detailed file information, the output is slightly modified:

$ ls -l test
-rw-rw-r--+ 1 chris chris 0 May 6 20:52 test

The + after the file permissions indicates that an ACL is in effect in addition to the permissions shown.

Changing the file mode using the chmod command alters the ACL mask value:

$ chmod 644 test
$ ls -l test
-rw-r--r--+ 1 chris chris 0 May 6 20:52 test
$ getfacl test
# file: test
# owner: chris
# group: chris
user::rw-
user:thomas:r--
group::rw- #effective:r--
mask::r--
other::r--

The new group permission has been set to r-- (read-only), and this is also used as the mask value. Because the mask is more limiting than the group value in the ACL, the group permission has effectively changed to r-- , as indicated by the #effective:r-- comment in the output.

This works both ways; changing the mask using setfacl also changes the group permission, as displayed by ls :

$ ls -l test
-rw-r--rwx+ 1 chris chris 0 May 6 20:52 test
$ setfacl -m mask::rw test
$ ls -l test
-rw-rw-rwx+ 1 chris chris 0 May 6 20:52 test
$ getfacl test
# file: test
# owner: chris
# group: chris
user::rw-
user:thomas:r--
group::rw-
mask::rw-
other::rwx

On the other hand, changing the default group ACL entry affects both that entry and the mask value:

$ setfacl -m g::r test
$ ls -l test
-rw-r--r--+ 1 chris chris 0 May 6 20:52 test
$ getfacl test
# file: test
# owner: chris
# group: chris
user::rw-
user:thomas:r--
group::r--
mask::r--
other::r--

The g::r argument is a short form for group::r.

To change multiple ACL entries at one time, separate them by commas:

$ setfacl -m u:diane:rw,u:jim:r,g::r,m::rw test

$ getfacl test

# file: test
# owner: chris
# group: chris
user::rw-
user:thomas:r--
user:diane:rw-
user:jim:r--
group::r--
mask::rw-
other::r--