getfacl
is a command-line utility in Unix-like operating systems, including Linux, that displays the Access Control Lists (ACLs) associated with files and directories. ACLs provide a more flexible permission mechanism than the traditional Unix file permission system (owner, group, others), allowing you to specify permissions for individual users and groups beyond the file’s owner and group.
Basic Syntax:
getfacl [options] <file-or-directory>
Key Features:
- View ACLs:
getfacl
shows the ACL entries for the specified file or directory, including the standard owner, group, and others permissions, as well as any extended ACLs. - Recursive Listing: You can use options to recursively list ACLs for all files in a directory.
Example Usage:
- Basic ACL Display:
getfacl myfile.txt
This command shows the ACL for myfile.txt
.
Example output:
# file: myfile.txt
# owner: user1
# group: group1
user::rw-
user:user2:r--
group::r--
mask::r--
other::---
- user::rw-: The owner (
user1
) has read and write permissions. - user:user2:r–: The user
user2
has read-only permissions. - group::r–: The owning group (
group1
) has read-only permissions. - mask::r–: The maximum allowed permissions for any user or group ACL.
- other::—: All other users have no permissions.
- Viewing ACLs for a Directory:
getfacl /path/to/directory
Displays the ACLs for the specified directory.
- Recursively Displaying ACLs:
getfacl -R /path/to/directory
Recursively lists the ACLs for all files and directories within the specified directory.
Understanding the Output:
- # file: The file or directory for which the ACLs are being displayed.
- # owner: The owner of the file or directory.
- # group: The group associated with the file or directory.
- user:: ACL entries for users, including the file owner and any additional users.
- group:: ACL entries for groups, including the owning group and any additional groups.
- mask:: The effective permissions that limit the permissions granted by user and group entries.
- other:: Permissions for users not covered by other entries.
Example Scenario:
Imagine you have a file report.txt
that is owned by user1
and you want to give read-only access to user2
and read/write access to user3
. After setting these ACLs using the setfacl
command, you can verify them with getfacl
:
- Set the ACLs:
setfacl -m u:user2:r--,u:user3:rw- report.txt
- Check the ACLs:
getfacl report.txt
Example output:
# file: report.txt
# owner: user1
# group: group1
user::rw-
user:user2:r--
user:user3:rw-
group::r--
mask::rw-
other::---
This output confirms that user2
has read-only access and user3
has read/write access to report.txt
.
Recursive ACL Display:
If you want to view the ACLs for all files in a directory and its subdirectories:
getfacl -R /path/to/directory
Practical Uses:
- Fine-Grained Permissions: ACLs are useful when you need to provide specific users or groups with different permissions on the same file or directory, beyond the traditional owner/group/others model.
- Compliance and Security Audits:
getfacl
helps in auditing and verifying that files and directories have the correct permissions set, especially in environments with strict security requirements.
Integration with Other Commands:
setfacl
: Used in conjunction withgetfacl
, thesetfacl
command allows you to set or modify the ACLs on files and directories.- Scripting:
getfacl
can be used in scripts to automate the auditing of ACLs across multiple files and directories.
getfacl
is a powerful tool for managing and verifying ACLs in Unix-like systems, offering enhanced control over file and directory permissions beyond what traditional Unix permissions provide.