setfacl

Modify ACL of a file for user with read and write access

$ setfacl [[-m|--modify]] u:[username]:rw [path/to/file_or_directory]

$ setfacl [[-m|--modify]] [[-d|--default]] u::rw [path/to/file_or_directory]

$ setfacl [[-x|--remove]] u:[username] [path/to/file_or_directory]

$ setfacl [[-b|--remove-all]] [path/to/file_or_directory]

setfacl [-bkndRLP] { -m|-x acl_entries } file ...
setfacl [-bkndRLP] { -M|-X acl_file } file ...
setfacl [-bkndRLP] -s acl_entries file ...
setfacl [-bkndRLP] -b file ...
setfacl [-bkndRLP] -k file ...

-m, --modify
    Modify the ACL of a file(s). ACL entries are specified as type:name:permissions.

-x, --remove
    Remove specified ACL entries from a file(s). ACL entries are specified as type:name.

-b, --remove-all
    Remove all extended ACL entries. Only the base owner, group, and others permissions remain.

-k, --remove-default
    Remove the default ACL from a directory, if it exists.

-M, --file=-
    Read ACL entries to modify from a specified file or standard input (if '-' is used).

-X, --file=-
    Read ACL entries to remove from a specified file or standard input (if '-' is used).

-s, --set
    Set the ACL of a file(s), completely replacing any existing ACL entries with the new ones provided.

-d, --default
    Apply operations to the default ACL of a directory. New files/subdirectories inherit these.

-R, --recursive
    Apply operations recursively to files and subdirectories within a given path.

-n, --no-mask
    Do not recalculate the effective rights mask. Use with caution as it can lead to unexpected permissions.

-P, --physical
    Operate on the physical files/directories rather than following symbolic links.

--test
    Test mode. Show what would be done without actually modifying ACLs.

--help
    Display help information for the command.

setfacl allows users to set, modify, or remove Access Control Lists (ACLs) for files and directories. ACLs provide a more granular permission system than traditional Unix permissions (owner, group, others), enabling specific permissions for multiple individual users or groups on a single file or directory. This command is part of the acl package, which extends the standard Unix permission model. It's commonly used to manage shared resources where complex permission requirements exist, allowing fine-grained control over access rights beyond the basic owner/group/other triplet. setfacl can be used to add new ACL entries, modify existing ones, or remove them entirely, including default ACLs for directories.

Filesystem support: ACLs must be enabled and mounted with the acl option on the filesystem (e.g., ext2/3/4, XFS, Btrfs).
Interaction with traditional permissions: The ACL mask entry limits the effective permissions for all user, group, and named group entries, ensuring they don't exceed what is allowed by the traditional group permission bits.
Default ACLs: Only apply to directories and affect newly created files/subdirectories within them, not existing ones.

ACL entries are typically specified in the format: type:name:permissions.
Types include: u for a named user, g for a named group, o for others, and m for the ACL mask entry.
name is a username or group name (or their numerical IDs).
permissions are specified using r (read), w (write), x (execute), or their octal equivalents (e.g., 7 for rwx).

The ACL mask entry is crucial. It defines the maximum effective permissions for all named user entries, named group entries, and the owning group entry. When an ACL is modified, setfacl typically adjusts the mask automatically unless the -n (--no-mask) option is used. The effective permissions for any of these entries will be the intersection of their specified permissions and the mask permissions.

Access Control Lists (ACLs) were formalized in drafts of the POSIX.1e standard in the 1990s, aiming to extend traditional Unix permissions. Linux adopted these ACLs, with stable support integrated into the kernel around version 2.6. setfacl and getfacl became the standard utilities for managing these extended file attributes on Linux systems.

getfacl(1), chmod(1), chown(1), acl(5)