getfacl

Display the file access control list

$ getfacl [path/to/file_or_directory]

$ getfacl [[-n|--numeric]] [path/to/file_or_directory]

$ getfacl [[-t|--tabular]] [path/to/file_or_directory]

getfacl [-aceEvnPtpnd] file ...

-a
    Display the access ACL only.

-d
    Display the default ACL only.

-c
    Display the access ACL and default ACL. (same as -ad)

-e
    Escape white spaces by a backslash.

-E
    Escape white spaces, '#' and ':' by a backslash.

-v
    Display the ACL version.

-n
    Display the numeric user and group IDs.

-p
    Display the permission bits.

-t
    Display the ACL in parsable format.

-P
    Do not follow symlinks.

-n
    Show numeric IDs.

--version
    Display version and exit.

--help
    Display this help and exit.

file ...
    The file(s) or directory(ies) for which to display the ACL.

The getfacl command displays the Access Control Lists (ACLs) associated with files and directories in Linux systems. ACLs provide a more granular permission control than the standard UNIX permission system (owner, group, others). They allow specifying permissions for specific users or groups beyond the file's owner and group. getfacl retrieves and displays this information in a human-readable format, showing who has what permissions (read, write, execute) on a particular file or directory.

This tool is crucial for understanding and managing access rights in environments requiring fine-grained security policies. getfacl reads the ACL entries and outputs them.

ACL entries define access rights for the file owner, the owning group, other users, named users, and named groups.

Modifying ACLs with setfacl requires appropriate privileges (usually root or file ownership). Be careful when setting default ACLs on directories, as they will affect the permissions of new files and subdirectories created within them.

The output of getfacl shows the file name, owner, group, and then a list of ACL entries. Each entry specifies the type (user, group, mask, other), the user/group ID (if applicable), and the permissions (rwx). The 'mask' entry defines the maximum permissions allowed to named users and groups.

The permissions are represented as 'r' (read), 'w' (write), and 'x' (execute). A hyphen '-' indicates that the permission is not granted. For example, 'r--' means read permission only. On directories, execute ('x') permission allows traversing into the directory.

getfacl and setfacl were introduced to Linux as part of the ACL support implementation. They were designed to provide a more flexible and powerful permission management system than the traditional UNIX permissions model. Their inclusion has enabled finer-grained access control policies in various applications and system configurations.

setfacl(1), chmod(1), chown(1)