{ "mode": "man", "parameter": "acl", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/acl/5/json", "generated": "2026-06-02T17:54:23Z", "sections": { "NAME": { "content": "acl — Access Control Lists\n", "subsections": [] }, "DESCRIPTION": { "content": "This manual page describes POSIX Access Control Lists, which are used to define more fine-\ngrained discretionary access rights for files and directories.\n", "subsections": [] }, "ACL TYPES": { "content": "Every object can be thought of as having associated with it an ACL that governs the discre‐\ntionary access to that object; this ACL is referred to as an access ACL. In addition, a direc‐\ntory may have an associated ACL that governs the initial access ACL for objects created within\nthat directory; this ACL is referred to as a default ACL.\n", "subsections": [] }, "ACL ENTRIES": { "content": "An ACL consists of a set of ACL entries. An ACL entry specifies the access permissions on the\nassociated object for an individual user or a group of users as a combination of read, write\nand search/execute permissions.\n\nAn ACL entry contains an entry tag type, an optional entry tag qualifier, and a set of permis‐\nsions. We use the term qualifier to denote the entry tag qualifier of an ACL entry.\n\nThe qualifier denotes the identifier of a user or a group, for entries with tag types of\nACLUSER or ACLGROUP, respectively. Entries with tag types other than ACLUSER or ACLGROUP\nhave no defined qualifiers.\n\nThe following entry tag types are defined:\n\nACLUSEROBJ The ACLUSEROBJ entry denotes access rights for the file owner.\n\nACLUSER ACLUSER entries denote access rights for users identified by the entry's\nqualifier.\n\nACLGROUPOBJ The ACLGROUPOBJ entry denotes access rights for the file group.\n\nACLGROUP ACLGROUP entries denote access rights for groups identified by the en‐\ntry's qualifier.\n\nACLMASK The ACLMASK entry denotes the maximum access rights that can be granted\nby entries of type ACLUSER, ACLGROUPOBJ, or ACLGROUP.\n\nACLOTHER The ACLOTHER entry denotes access rights for processes that do not match\nany other entry in the ACL.\n\nWhen an access check is performed, the ACLUSEROBJ and ACLUSER entries are tested against the\neffective user ID. The effective group ID, as well as all supplementary group IDs are tested\nagainst the ACLGROUPOBJ and ACLGROUP entries.\n", "subsections": [ { "name": "VALID ACLs", "content": "A valid ACL contains exactly one entry with each of the ACLUSEROBJ, ACLGROUPOBJ, and\nACLOTHER tag types. Entries with ACLUSER and ACLGROUP tag types may appear zero or more\ntimes in an ACL. An ACL that contains entries of ACLUSER or ACLGROUP tag types must contain\nexactly one entry of the ACLMASK tag type. If an ACL contains no entries of ACLUSER or\nACLGROUP tag types, the ACLMASK entry is optional.\n\nAll user ID qualifiers must be unique among all entries of ACLUSER tag type, and all group IDs\nmust be unique among all entries of ACLGROUP tag type.\n\nThe aclgetfile() function returns an ACL with zero ACL entries as the default ACL of a di‐\nrectory, if the directory is not associated with a default ACL. The aclsetfile() function\nalso accepts an ACL with zero ACL entries as a valid default ACL for directories, denoting that\nthe directory shall not be associated with a default ACL. This is equivalent to using the\nacldeletedeffile() function.\n" }, { "name": "CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS", "content": "The permissions defined by ACLs are a superset of the permissions specified by the file permis‐\nsion bits.\n\nThere is a correspondence between the file owner, group, and other permissions and specific ACL\nentries: the owner permissions correspond to the permissions of the ACLUSEROBJ entry. If the\nACL has an ACLMASK entry, the group permissions correspond to the permissions of the ACLMASK\nentry. Otherwise, if the ACL has no ACLMASK entry, the group permissions correspond to the\npermissions of the ACLGROUPOBJ entry. The other permissions correspond to the permissions of\nthe ACLOTHER entry.\n\nThe file owner, group, and other permissions always match the permissions of the corresponding\nACL entry. Modification of the file permission bits results in the modification of the associ‐\nated ACL entries, and modification of these ACL entries results in the modification of the file\npermission bits.\n" }, { "name": "OBJECT CREATION AND DEFAULT ACLs", "content": "The access ACL of a file object is initialized when the object is created with any of the\ncreat(), mkdir(), mknod(), mkfifo(), or open() functions. If a default ACL is associated with a\ndirectory, the mode parameter to the functions creating file objects and the default ACL of the\ndirectory are used to determine the ACL of the new object:\n\n1. The new object inherits the default ACL of the containing directory as its access ACL.\n\n2. The access ACL entries corresponding to the file permission bits are modified so that they\ncontain no permissions that are not contained in the permissions specified by the mode pa‐\nrameter.\n\nIf no default ACL is associated with a directory, the mode parameter to the functions creating\nfile objects and the file creation mask (see umask(2)) are used to determine the ACL of the new\nobject:\n\n1. The new object is assigned an access ACL containing entries of tag types ACLUSEROBJ,\nACLGROUPOBJ, and ACLOTHER. The permissions of these entries are set to the permissions\nspecified by the file creation mask.\n\n2. The access ACL entries corresponding to the file permission bits are modified so that they\ncontain no permissions that are not contained in the permissions specified by the mode pa‐\nrameter.\n" } ] }, "ACCESS CHECK ALGORITHM": { "content": "A process may request read, write, or execute/search access to a file object protected by an\nACL. The access check algorithm determines whether access to the object will be granted.\n\n1. If the effective user ID of the process matches the user ID of the file object owner, then\n\nif the ACLUSEROBJ entry contains the requested permissions, access is granted,\n\nelse access is denied.\n\n2. else if the effective user ID of the process matches the qualifier of any entry of type\nACLUSER, then\n\nif the matching ACLUSER entry and the ACLMASK entry contain the requested permis‐\nsions, access is granted,\n\nelse access is denied.\n\n3. else if the effective group ID or any of the supplementary group IDs of the process match\nthe file group or the qualifier of any entry of type ACLGROUP, then\n\nif the ACL contains an ACLMASK entry, then\n\nif the ACLMASK entry and any of the matching ACLGROUPOBJ or ACLGROUP en‐\ntries contain the requested permissions, access is granted,\n\nelse access is denied.\n\nelse (note that there can be no ACLGROUP entries without an ACLMASK entry)\n\nif the ACLGROUPOBJ entry contains the requested permissions, access is\ngranted,\n\nelse access is denied.\n\n4. else if the ACLOTHER entry contains the requested permissions, access is granted.\n\n5. else access is denied.\n", "subsections": [] }, "ACL TEXT FORMS": { "content": "A long and a short text form for representing ACLs is defined. In both forms, ACL entries are\nrepresented as three colon separated fields: an ACL entry tag type, an ACL entry qualifier, and\nthe discretionary access permissions. The first field contains one of the following entry tag\ntype keywords:\n\nuser A user ACL entry specifies the access granted to either the file owner (entry tag\ntype ACLUSEROBJ) or a specified user (entry tag type ACLUSER).\n\ngroup A group ACL entry specifies the access granted to either the file group (entry\ntag type ACLGROUPOBJ) or a specified group (entry tag type ACLGROUP).\n\nmask A mask ACL entry specifies the maximum access which can be granted by any ACL en‐\ntry except the user entry for the file owner and the other entry (entry tag type\nACLMASK).\n\nother An other ACL entry specifies the access granted to any process that does not\nmatch any user or group ACL entries (entry tag type ACLOTHER).\n\nThe second field contains the user or group identifier of the user or group associated with the\nACL entry for entries of entry tag type ACLUSER or ACLGROUP, and is empty for all other en‐\ntries. A user identifier can be a user name or a user ID number in decimal form. A group iden‐\ntifier can be a group name or a group ID number in decimal form.\n\nThe third field contains the discretionary access permissions. The read, write and search/exe‐\ncute permissions are represented by the r, w, and x characters, in this order. Each of these\ncharacters is replaced by the - character to denote that a permission is absent in the ACL en‐\ntry. When converting from the text form to the internal representation, permissions that are\nabsent need not be specified.\n\nWhite space is permitted at the beginning and end of each ACL entry, and immediately before and\nafter a field separator (the colon character).\n\nLONG TEXT FORM\nThe long text form contains one ACL entry per line. In addition, a number sign (#) may start a\ncomment that extends until the end of the line. If an ACLUSER, ACLGROUPOBJ or ACLGROUP ACL\nentry contains permissions that are not also contained in the ACLMASK entry, the entry is fol‐\nlowed by a number sign, the string “effective:”, and the effective access permissions defined\nby that entry. This is an example of the long text form:\n\nuser::rw-\nuser:lisa:rw- #effective:r--\ngroup::r--\ngroup:toolies:rw- #effective:r--\nmask::r--\nother::r--\n\nSHORT TEXT FORM\nThe short text form is a sequence of ACL entries separated by commas, and is used for input.\nComments are not supported. Entry tag type keywords may either appear in their full unabbrevi‐\nated form, or in their single letter abbreviated form. The abbreviation for user is u, the ab‐\nbreviation for group is g, the abbreviation for mask is m, and the abbreviation for other is o.\nThe permissions may contain at most one each of the following characters in any order: r, w, x.\nThese are examples of the short text form:\n\nu::rw-,u:lisa:rw-,g::r--,g:toolies:rw-,m::r--,o::r--\ng:toolies:rw,u:lisa:rw,u::wr,g::r,o::r,m::r\n", "subsections": [] }, "RATIONALE": { "content": "IEEE 1003.1e draft 17 defines Access Control Lists that include entries of tag type ACLMASK,\nand defines a mapping between file permission bits that is not constant. The standard working\ngroup defined this relatively complex interface in order to ensure that applications that are\ncompliant with IEEE 1003.1 (“POSIX.1”) will still function as expected on systems with ACLs.\nThe IEEE 1003.1e draft 17 contains the rationale for choosing this interface in section B.23.\n", "subsections": [] }, "CHANGES TO THE FILE UTILITIES": { "content": "On a system that supports ACLs, the file utilities ls(1), cp(1), and mv(1) change their behav‐\nior in the following way:\n\n•• For files that have a default ACL or an access ACL that contains more than the three re‐\nquired ACL entries, the ls(1) utility in the long form produced by ls -l displays a plus\nsign (+) after the permission string.\n\n•• If the -p flag is specified, the cp(1) utility also preserves ACLs. If this is not possi‐\nble, a warning is produced.\n\n•• The mv(1) utility always preserves ACLs. If this is not possible, a warning is produced.\n\nThe effect of the chmod(1) utility, and of the chmod(2) system call, on the access ACL is de‐\nscribed in CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS.\n", "subsections": [] }, "STANDARDS": { "content": "The IEEE 1003.1e draft 17 (“POSIX.1e”) document describes several security extensions to the\nIEEE 1003.1 standard. While the work on 1003.1e has been abandoned, many UNIX style systems im‐\nplement parts of POSIX.1e draft 17, or of earlier drafts.\n\nLinux Access Control Lists implement the full set of functions and utilities defined for Access\nControl Lists in POSIX.1e, and several extensions. The implementation is fully compliant with\nPOSIX.1e draft 17; extensions are marked as such. The Access Control List manipulation func‐\ntions are defined in the ACL library (libacl, -lacl). The POSIX compliant interfaces are de‐\nclared in the header. Linux-specific extensions to these functions are declared in\nthe header.\n", "subsections": [] }, "SEE ALSO": { "content": "chmod(1), creat(2), getfacl(1), ls(1), mkdir(2), mkfifo(2), mknod(2), mount(8), open(2),\nsetfacl(1), stat(2), umask(1)\n", "subsections": [ { "name": "POSIX 1003.1e DRAFT 17", "content": "http://wt.tuxomania.net/publications/posix.1e/download.html\n" }, { "name": "POSIX 1003.1e FUNCTIONS BY CATEGORY", "content": "" }, { "name": "ACL storage management", "content": "acldup(3), aclfree(3), aclinit(3)\n" }, { "name": "ACL entry manipulation", "content": "aclcopyentry(3), aclcreateentry(3), acldeleteentry(3), aclgetentry(3),\naclvalid(3)\n\nacladdperm(3), aclcalcmask(3), aclclearperms(3), acldeleteperm(3),\naclgetpermset(3), aclsetpermset(3)\n\naclgetqualifier(3), aclgettagtype(3), aclsetqualifier(3), aclsettagtype(3)\n" }, { "name": "ACL manipulation on an object", "content": "acldeletedeffile(3), aclgetfd(3), aclgetfile(3), aclsetfd(3), aclsetfile(3)\n" }, { "name": "ACL format translation", "content": "aclcopyentry(3), aclcopyext(3), aclfromtext(3), acltotext(3), aclsize(3)\n" }, { "name": "POSIX 1003.1e FUNCTIONS BY AVAILABILITY", "content": "The first group of functions is supported on most systems with POSIX-like access control lists,\nwhile the second group is supported on fewer systems. For applications that will be ported the\nsecond group is best avoided.\n\nacldeletedeffile(3), acldup(3), aclfree(3), aclfromtext(3), aclgetfd(3),\naclgetfile(3), aclinit(3), aclsetfd(3), aclsetfile(3), acltotext(3), aclvalid(3)\n\nacladdperm(3), aclcalcmask(3), aclclearperms(3), aclcopyentry(3), aclcopyext(3),\naclcopyint(3), aclcreateentry(3), acldeleteentry(3), acldeleteperm(3),\naclgetentry(3), aclgetpermset(3), aclgetqualifier(3), aclgettagtype(3),\naclsetpermset(3), aclsetqualifier(3), aclsettagtype(3), aclsize(3)\n\nLINUX EXTENSIONS\nThese non-portable extensions are available on Linux systems.\n\naclcheck(3), aclcmp(3), aclentries(3), aclequivmode(3), aclerror(3), aclextendedfd(3),\naclextendedfile(3), aclextendedfilenofollow(3), aclfrommode(3), aclgetperm(3),\nacltoanytext(3)\n" } ] }, "AUTHOR": { "content": "Andreas Gruenbacher, \n", "subsections": [] }, "Linux ACL March 23, 2002 Linux ACL": { "content": "", "subsections": [] } }, "summary": "acl — Access Control Lists", "flags": [], "examples": [], "see_also": [ { "name": "chmod", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/chmod/1/json" }, { "name": "creat", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/creat/2/json" }, { "name": "getfacl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/getfacl/1/json" }, { "name": "ls", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/ls/1/json" }, { "name": "mkdir", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/mkdir/2/json" }, { "name": "mkfifo", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/mkfifo/2/json" }, { "name": "mknod", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/mknod/2/json" }, { "name": "mount", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/mount/8/json" }, { "name": "open", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/open/2/json" }, { "name": "setfacl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/setfacl/1/json" }, { "name": "stat", "section": "2", "url": "https://www.chedong.com/phpMan.php/man/stat/2/json" }, { "name": "umask", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/umask/1/json" }, { "name": "acldup", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldup/3/json" }, { "name": "aclfree", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclfree/3/json" }, { "name": "aclinit", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclinit/3/json" }, { "name": "aclcopyentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcopyentry/3/json" }, { "name": "aclcreateentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcreateentry/3/json" }, { "name": "acldeleteentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldeleteentry/3/json" }, { "name": "aclgetentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetentry/3/json" }, { "name": "aclvalid", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclvalid/3/json" }, { "name": "acladdperm", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acladdperm/3/json" }, { "name": "aclcalcmask", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcalcmask/3/json" }, { "name": "aclclearperms", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclclearperms/3/json" }, { "name": "acldeleteperm", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldeleteperm/3/json" }, { "name": "aclgetpermset", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetpermset/3/json" }, { "name": "aclsetpermset", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetpermset/3/json" }, { "name": "aclgetqualifier", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetqualifier/3/json" }, { "name": "aclgettagtype", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgettagtype/3/json" }, { "name": "aclsetqualifier", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetqualifier/3/json" }, { "name": "aclsettagtype", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsettagtype/3/json" }, { "name": "acldeletedeffile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldeletedeffile/3/json" }, { "name": "aclgetfd", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetfd/3/json" }, { "name": "aclgetfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetfile/3/json" }, { "name": "aclsetfd", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetfd/3/json" }, { "name": "aclsetfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetfile/3/json" }, { "name": "aclcopyentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcopyentry/3/json" }, { "name": "aclcopyext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcopyext/3/json" }, { "name": "aclfromtext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclfromtext/3/json" }, { "name": "acltotext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acltotext/3/json" }, { "name": "aclsize", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsize/3/json" }, { "name": "acldeletedeffile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldeletedeffile/3/json" }, { "name": "acldup", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldup/3/json" }, { "name": "aclfree", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclfree/3/json" }, { "name": "aclfromtext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclfromtext/3/json" }, { "name": "aclgetfd", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetfd/3/json" }, { "name": "aclgetfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetfile/3/json" }, { "name": "aclinit", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclinit/3/json" }, { "name": "aclsetfd", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetfd/3/json" }, { "name": "aclsetfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetfile/3/json" }, { "name": "acltotext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acltotext/3/json" }, { "name": "aclvalid", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclvalid/3/json" }, { "name": "acladdperm", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acladdperm/3/json" }, { "name": "aclcalcmask", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcalcmask/3/json" }, { "name": "aclclearperms", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclclearperms/3/json" }, { "name": "aclcopyentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcopyentry/3/json" }, { "name": "aclcopyext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcopyext/3/json" }, { "name": "aclcopyint", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcopyint/3/json" }, { "name": "aclcreateentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcreateentry/3/json" }, { "name": "acldeleteentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldeleteentry/3/json" }, { "name": "acldeleteperm", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acldeleteperm/3/json" }, { "name": "aclgetentry", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetentry/3/json" }, { "name": "aclgetpermset", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetpermset/3/json" }, { "name": "aclgetqualifier", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetqualifier/3/json" }, { "name": "aclgettagtype", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgettagtype/3/json" }, { "name": "aclsetpermset", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetpermset/3/json" }, { "name": "aclsetqualifier", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsetqualifier/3/json" }, { "name": "aclsettagtype", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsettagtype/3/json" }, { "name": "aclsize", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclsize/3/json" }, { "name": "aclcheck", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcheck/3/json" }, { "name": "aclcmp", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclcmp/3/json" }, { "name": "aclentries", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclentries/3/json" }, { "name": "aclequivmode", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclequivmode/3/json" }, { "name": "aclerror", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclerror/3/json" }, { "name": "aclextendedfd", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclextendedfd/3/json" }, { "name": "aclextendedfile", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclextendedfile/3/json" }, { "name": "aclextendedfilenofollow", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclextendedfilenofollow/3/json" }, { "name": "aclfrommode", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclfrommode/3/json" }, { "name": "aclgetperm", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/aclgetperm/3/json" }, { "name": "acltoanytext", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/acltoanytext/3/json" } ], "tldr": { "source": "cheatsh", "description": "", "examples": [ { "description": "Get ACL", "command": "getfacl <file>" }, { "description": "Add or modify ACL on file", "command": "setfacl -m u:username:rX <file>" }, { "description": "or provide all permissions at once", "command": "setfacl -m u::rwx,g:groupname:rX,o::- <file>" }, { "description": "Copy ACL from file-A to file-B", "command": "getfacl file-A | setfacl -M - file-B" }, { "description": "Apply ACL recursivelly to directory", "command": "setfacl -R -m u:username:rX <directory>" }, { "description": "Delete ACL", "command": "setfacl -x u:username,g:groupname <file>" }, { "description": "Delete all ACL on file, including default", "command": "setfacl -b <file>" }, { "description": "Same operations works for default ACLs", "command": "setfacl -m d:u:username:rx <directory>" }, { "description": "Delete only default ACLs", "command": "setfacl -k <directory>" } ] } }