Master Linux ACL: Check, Set, Modify, and Backup File Permissions

What is ACL?

ACL stands for Access Control List, a flexible permission mechanism for files and directories on Linux that supplements the traditional owner‑group‑others (UGO) model.

Why use ACL?

ACL allows you to assign permissions to individual users or groups and to let sub‑files or sub‑directories inherit permissions from their parent, capabilities that are difficult or impossible with basic UGO permissions.

Checking ACL support

Most modern Linux kernels and filesystems enable ACL by default. Verify support with the following command:

sudo tune2fs -l /dev/sda1 | grep "Default mount options:"

If the output contains user_xattr acl, ACL is enabled.

Setting ACLs

Use setfacl to add or modify ACL entries and getfacl to view them.

Basic syntax:

setfacl -m u:username:permissions file_or_dir

setfacl -m g:groupname:permissions file_or_dir

getfacl file_or_dir

ACL for individual users

Create test users and assign them read/write access to a file:

sudo adduser tester

sudo adduser tester1

Create a test file and check its default permissions:

touch aclfile

Initially, user tester cannot write because the other class lacks write permission.

setfacl -m u:tester:rw aclfile

After applying the command, tester can write to the file. Verify with:

ll aclfile

getfacl aclfile

The output shows an entry like user:tester:rw-, confirming the new permissions.

ACL for groups

Setting permissions for a group is identical, replacing the u flag with g:

setfacl -m g:groupname:permissions file_or_dir

Inheritance of permissions

Directories can have default ACL entries that are inherited by newly created files and sub‑directories.

mkdir mydir

setfacl -dm u:tester:rwx mydir

New files or directories created inside mydir automatically receive the specified permissions.

Modifying existing ACL entries

The -m option adds a new entry if none exists or updates an existing one. For example:

setfacl -m u:tester:rwx aclfile

adds execute permission. To remove execute permission while keeping read/write:

setfacl -m u:tester:rw aclfile

You can also add permissions for another group without affecting existing entries:

setfacl -m g:tester1:rwx aclfile

Replacing all ACL entries

The --set option clears existing ACLs and applies a new set. It requires you to specify the traditional UGO permissions as well:

setfacl --set u::rw,u:tester2:rwx,g::r,o::- aclfile

Note the use of o::- to explicitly set "other" permissions to none.

Deleting ACL entries

Remove a specific user or group entry with -x:

setfacl -x g:tester2 aclfile

Clear all ACLs from a file or directory with -b:

setfacl -b aclfile

Backing up and restoring ACLs

Standard copy commands ( cp, mv) preserve ACLs when used with the -p flag. Archive tools like tar do not retain ACLs by default. To back up ACLs, export them to a file and later restore:

getfacl -R acldir > acldir.acl

Remove ACLs from the directory tree:

setfacl -R -b acldir

Restore the saved ACLs:

setfacl --restore acldir.acl

}