1. Introduction

File and directory sharing is critical in most Linux environments. While standard file permissions (read, write, execute) for the owner, group, and others offer a basic level of control, they can sometimes feel restrictive. For instance, we cannot assign different permissions to individual users within a group.

Therefore, Access Control Lists (ACLs) were introduced to overcome such limitations. ACLs are an advanced file permissions system that provides more granular control to manage files and directories.

In this tutorial, we’ll be focusing on how to view ACL permissions using the getfacl command. Initially, we discuss the basics of the getfacl command. Later, we explore its various options.

2. Basic Usage of the getfacl Command

To begin with, let’s understand the basic syntax of the getfacl command:

$ getfacl [options] file_name

The getfacl command supports many [options]. Naturally, the file_name in the above command refers to the name of the file or directory for which we want to view the ACL permissions.

For example, we might be interested in checking the ACL permission for a file named file1.txt using the getfacl command:

$ getfacl file1.txt
# owner: baeldung
# group: baeldung
user::rw-
group::rw-
other::r--

Now, let’s understand the output:

  • # owner indicates that the owner of the file is baeldung
  • # group suggests that the group owner of the file is baeldung
  • user::rw- signifies that the file owner (baeldung) has read and write permissions
  • group::rw- denotes the group owner (baeldung) has read and write permissions
  • other::r– means that everyone else has only read permissions

The last three lines of the output show the ACL entries for the file1.txt.

3. Additional Options

The getfacl command has various options to further customize its behavior and enhance functionality.

3.1. Displaying ACL Entries Only

When we want to display the ACL information without the header details, we can use the -c option. The -c flag is especially helpful when working with large files and directories, as it reduces the output to understand the ACL settings quickly:

$ getfacl -c file1.txt 
user::rw-
group::rw-
other::r--

By executing the command, we get concise information about the ACLs, making it easier to read, understand, and parse.

3.2. Displaying Numerical UID and GID

Sometimes, the user and group names might not be readily available. In such cases, we can use the -n option to display numerical user IDs (UIDs) and group IDs (GIDs):

$ getfacl -n file1.txt
# owner: 1000
# group: 1000
user::rw-
group::rw-
other::r--

The output displays the owner and group information as numerical IDs (1000) rather than names.

3.3. Displaying Recursive ACL Entries

We can use the -R option to display the ACL entries of all files and subdirectories within the specified directory. The -R flag is invaluable when we need to inspect the ACL settings across the entire directory structure:

$ getfacl -R dir1
# file: dir1
# owner: baeldung
# group: baeldung
user::rwx
group::rwx
other::r-x

# file: dir1/dir2
# owner: baeldung
# group: baeldung
user::rwx
group::rwx
other::r-x

# file: dir1/file1
# owner: baeldung
# group: baeldung
user::rw-
group::rw-
other::r--

We can see the ACL permissions for the parent directory dir1, a subdirectory, and a file.

3.4. Displaying ACL Entries in Tabular Form

To display the ACL information in a more organized and readable format, we can use the -t option. The -t flag arranges the ACL entries in tabular format and then we can easily compare entries across multiple files or directories:

getfacl -t file1.txt
# file: file1.txt
USER   baeldung     rw-
GROUP  baeldung     rw-
other               r--

In the output, we can see that each column represents specific permissions or attributes.

3.5. Displaying Default ACL Entries

The -d option comes in handy to view the default ACL permissions for a file or directory. Default permissions are inherited from parent directories and apply to all files and subdirectories under a pathy unless overridden:

$ getfacl -d dir1
# file: dir1
# owner: baeldung
# group: baeldung
user::rwx
user:baeldung:rwx
group::rwx
mask::rwx
other::r-x

The output displays the default ACL permissions for the dir1 directory. Moreover, we can see the permissions we set to apply inherited by new files and directories created within it.

3.6. Displaying Extended ACL Entries

We can use the -e option to display the ACL entries in a more detailed format:

$ getfacl -e file1.txt
# file: file1.txt
# owner: baeldung
# group: baeldung
user::rw-
user:baeldung:rw-      #effective:rw-
group::rw-          #effective:rw-
mask::rw-
other::r--

Using the -e flag, we can identify any issues with the ACL entries and make the necessary adjustments to ensure the file is properly secured.

As usual, the manual page of getfacl contains all the details about more exotic options the command offers.

4. Conclusion

In this article, we explored the usage and options of the getfacl command, a powerful tool to view ACL permissions.

Alone, the getfacl command displays the owner and group information with their ACL permissions. Adding the -c flag shows only ACL entries, while -n replaces the user and group names with the respective IDs. The -R option is handy for viewing the ACLs across the entire directory structure. Further, we can display default and extended ACL entries via -d and -e respectively.