chacl

chacl [-dPR] acl_spec path ...

-d
    Delete the ACL entry matching acl_spec. Prior changes apply before deletion.

-P
    Use POSIX.1e ACL format (default).

-R
    Recursively apply changes to path and all subdirectories/files.

The chacl command modifies the Access Control List (ACL) of files or directories on Linux systems supporting POSIX.1e ACLs. It appends or deletes ACL entries specified in acl_spec format to the existing ACL, without overwriting the entire list. This is useful for fine-grained permission management beyond traditional Unix permissions.

An acl_spec follows the syntax from getfacl(1), such as u::rwx for user owner, g:groupname:r-x for groups, or u:1000:rw- for specific UIDs. Multiple specs can be provided, applied sequentially. Without -d, entries are added if not present. The command operates on the file's ACL or inherits from the directory's default ACL if none exists.

Key use cases include granting extra permissions to specific users or groups on shared filesystems like ext4 or NFSv4 with ACL support. It requires the acl package and kernel ACL support. Changes are atomic per file but recursive with -R. Always verify with getfacl afterward.

Requires filesystem ACL support (e.g., ext4); no effect on non-ACL filesystems. Does not follow symlinks recursively. Ignores duplicate entries.

Examples: u::rwx (owner), g::r-x (group), o::r-- (other), u:1000:rw- (user ID 1000), m::rwx (mask). See getfacl(1).

0: success; 1: ACL spec failure; 2: syntax/system error.

Introduced with Linux ACL support in kernel 2.4.19+ (2003), part of POSIX.1e draft. Maintained in acl package since 2001.

getfacl(1), setfacl(1), acl(5)