Mastering Linux ACL Masks: How to Control Fine-Grained File Permissions

1. Traditional UNIX Permission Model

Linux and other UNIX‑like systems represent file permissions with three classes: owner (user) , group , and others . Each class is described by three bits – r (read), w (write), and x (execute or directory traversal). The symbolic string rwxr-x--- means the owner has full access, the group can read and execute, and others have no rights.

2. Access Control Lists (ACL)

ACLs extend the basic model by allowing arbitrary users or groups to receive explicit permissions. The utilities getfacl (display) and setfacl (modify) manage ACL entries. A typical ACL dump looks like:

# file: /var/log/nginx/access.log
# owner: nginx
# group: nginx
user::rw-
user:tomcat:r--
group::---
mask::r--
other::---

Interpretation:

Owner nginx – read/write.

Named user tomcat – read‑only.

Group – no rights.

Mask r-- – upper bound for all named users and groups.

3. The Mask (Effective Rights Upper Bound)

The mask is a special ACL entry that limits the *effective* permissions of every named user and named group. It does **not** affect the traditional owner, group, or other bits.

Example: a user granted rwx but with mask r-- will only be able to read; write and execute are masked out.

4. Scope of the Mask

The mask applies to:

All ACL entries for specific users ( user:NAME:perm).

All ACL entries for specific groups ( group:NAME:perm).

It never restricts the owner’s permissions or the other category.

5. Viewing and Modifying the Mask

Viewing

Run getfacl /path/to/file. The line beginning with mask:: shows the current mask, e.g. mask::r--.

Modifying

Use setfacl -m m::PERMS /path/to/file where PERMS is a combination of r, w, x. Example to allow read and execute: setfacl -m m::r-x /var/log/nginx Re‑run getfacl to verify the change.

6. Practical Case Study

Directory /var/log/nginx had a named user entry user:tomcat:r-x but the mask was ---. Consequently the effective permission for tomcat was none, blocking access. Updating the mask: setfacl -m m::r-x /var/log/nginx restored the intended read/execute rights.

7. Frequently Used ACL Commands

setfacl -m u:lisa:r file

– grant user lisa read access. setfacl -m m::rx file – set mask to read + execute, effectively revoking write for all named entries. setfacl -x g:staff file – remove the named group staff from the ACL. getfacl file1 | setfacl --set-file=- file2 – copy ACL from file1 to file2. getfacl --access dir | setfacl -d -M- dir – copy the access ACL into the default ACL of a directory.

8. Key Takeaways

The mask influences only ACL‑defined users and groups; owner and others remain unaffected.

Effective permissions are always bounded by the mask; a restrictive mask can downgrade higher ACL entries.

When troubleshooting permission problems, always inspect the mask with getfacl and adjust it with setfacl -m m::... as needed.