getfacl

Display the file access control list

$ getfacl [path/to/file_or_directory]

$ getfacl [[-n|--numeric]] [path/to/file_or_directory]

$ getfacl [[-t|--tabular]] [path/to/file_or_directory]

getfacl [OPTIONS] FILE...

-a, --access
    Display the file access ACL. This is the default if neither -a nor -d is specified.

-d, --default
    Display the default ACL for directories. Default ACLs are inherited by newly created objects within that directory.

-D, --omit-header
    Do not display the comment header (file name, owner, group).

-p, --physical
    Do not follow symbolic links; display ACLs of the symbolic link itself instead of the target file.

-R, --recursive
    Recursively list ACLs of subdirectories and their contents.

-s, --skip-base
    Skip the base ACL entries (user::, group::, other::) from the output.

-t, --tabular
    Use a tabular output format for easier parsing, showing only effective rights.

--all-effective
    Print all effective rights, combining access and default ACLs with their masks applied.

--absolute-names
    Do not strip leading '/' in pathnames when listing files.

-v, --version
    Display version information and exit.

-h, --help
    Display a help message and exit.

The getfacl command is used to retrieve and display the Access Control Lists (ACLs) of files and directories. Traditional Unix permissions offer a limited set of permissions for the owner, owning group, and others. ACLs extend this by allowing more granular control, enabling you to define specific permissions for additional users and groups beyond the standard three. When invoked, getfacl outputs a detailed list of permissions, including the owning user, owning group, and then specific entries for named users, named groups, and the effective rights mask. This command is crucial for understanding the exact access rights for a file, especially in environments where standard permissions are insufficient. It complements the setfacl command, which is used to modify these ACLs. getfacl is particularly useful for auditing security configurations and troubleshooting access issues on filesystems that support ACLs, such as Ext3, Ext4, XFS, and Btrfs.

Filesystem Support: ACLs are only supported by certain filesystems (e.g., Ext3, Ext4, XFS, Btrfs, NFSv4). Older filesystems or those mounted without the 'acl' option enabled will not properly store or display ACLs.
Mount Options: For ACLs to function, the filesystem often needs to be mounted with the acl option explicitly enabled in /etc/fstab or via the mount command.
Interoperability: Files with ACLs moved to or accessed from systems that do not support ACLs may lose their extended permissions, reverting to traditional Unix permissions.
Complexity: While powerful, managing ACLs can add complexity to permission management, especially in large environments, and requires careful consideration to avoid unintended access.

The output of getfacl typically includes a header with the file name, owner, and owning group. Below this, it lists ACL entries, usually in the format:

user::rw- (owner)
group::r-- (owning group)
other::--- (others)
user:john:rwx (named user 'john')
group:devs:r-x (named group 'devs')
mask::rwx (effective rights mask)

The 'mask' entry specifies the maximum permissions that can be granted to any named user, named group, or to the owning group. The effective permissions for any entry are the logical AND of its specified permissions and the mask permissions. If the mask is more restrictive than an entry's specified permissions, the mask will limit the effective rights.

For directories, getfacl can also display 'default' ACLs using the -d option. Default ACLs are not directly applied to the directory itself but are inherited by new files and subdirectories created within it. This allows for automatic propagation of specific access controls to new content, simplifying management for shared folders.

The concept of Access Control Lists (ACLs) on Unix-like systems gained prominence with the POSIX.1e draft standard, which aimed to provide a more granular permission model than the traditional owner/group/other permissions. Although POSIX.1e itself was never finalized, its influence led to the adoption of ACL implementations in various Unix and Linux distributions. The getfacl command, along with its counterpart setfacl, is part of the `acl` package, which provides utilities for managing these extended ACLs on Linux. This development addressed the growing need for finer-grained access control in server environments and shared storage systems, allowing administrators to specify permissions for multiple users and groups on a single file or directory, significantly enhancing security and flexibility beyond the UGO (User, Group, Other) model.

setfacl(1), chmod(1), chown(1), ls(1), stat(1)