1. Overview

Access Control Lists (ACLs) are a powerful feature of Linux that enables us to manage fine-grained permissions for files and directories. The setfacl command is a tool that we can use to set, modify, or remove ACL entries for files and directories.

In this tutorial, we’ll learn how to use the setfacl command in Linux to remove group permissions from files.

The code in this tutorial has been tested on the Bash shell version 5.1.16.

2. What Is setfacl?

ACLs are a set of rules that define the access rights of users and groups to a file. However, they provide more flexibility and granularity than standard file permissions based on the owner, group, and other categories.

So, the setfacl command is a Linux utility for setting and modifying file and directory access control lists (ACLs).

Let’s check the basic syntax of setfacl:

$ setfacl [options] file

Here, file specifies the file or directory to which we want to apply the ACL. In particular, we can use options to modify, remove, or restore the ACL entries.

Let’s see some examples:

  • -m or –modify=acl: modify permissions
  • -x or –remove=acl: remove permissions
  • -b or –remove-all: remove all permissions
  • -d or –default: apply default permission to newly created files along the path
  • -R or –recursive: recurse into subdirectories
  • -k or –remove-default: remove default permissions
  • -n or –no-mask: prevent the calculation of the effective rights mask

Moreover, each ACL entry has a specific format:

type:identifier:permissions

Here, type can be one of four options:

  • u for user
  • g for group
  • o for others
  • m for mask

Next, the identifier can be a username, a group name, or empty.

Finally, there are four ways to specify a permission:

  • r for read
  • w for write
  • x for execute
  • for no permission

For example, let’s look at a basic ACL entry:

u:alice:rw-

This, we grant read and write permission to the user alice.

Also, we can deny permission to a specific group:

g:staff:---

Here, we deny permission to the group named staff.

Moreover, we can grant permission to others that aren’t in the group:

o::x

Additionally, we can set permissions on mask.

m::rx

The entry above sets mask to read and execute.

A mask is created automatically by setfacl to prevent the other groups we create from exceeding the permissions we set it to.

3. Sample Data With ACL Permissions

First, let’s check the file permissions on a file named file1 with the getfacl command:

$ getfacl file1
# file: file1
# owner: megalous
# group: megalous
user::rw-
group::rw-
other::r--

Here, user::rw- means that the user who owns file1, megalous, can read and write, but cannot execute file1. Next, group::rw- ensures the owning group, also megalous, can read and write, but cannot execute file1. Additionally, other::r— limits other users who aren’t the owner or in the group – they can only read but can’t write and execute file1.

However, let’s grant group staff permission to read, write, and execute file1 with the setfacl command:

$ setfacl -m g:staff:rwx file1

In the code snippet above, we use setfacl with the -m option to grant the group staff permission to read, write, and execute file1.

At this point, let’s again see the permissions that getfacl returns for file1:

$ getfacl file1
# file: file1
# owner: megalous
# group: megalous
user::rw-
group::rw-
group:staff:rwx
mask::rwx
other::r--

We can see that a new group:staff with permission to read, write, and execute file1 was added to the list.

4. Removing a Specific Group Entry

We can remove a specific group entry from a file via the -x option.

For example, let’s remove group staff from file1:

$ setfacl -x g:staff: file1

Now, we remove the group:staff and its permissions from file1.

However, let’s check for permissions left on file1:

$ getfacl file1
# file: file1
# owner: megalous
# group: megalous
user::rw-
group::rw-
mask::rw-
other::r--

Notably, group:staff isn’t present anymore and the setfacl command creates a mask automatically.

We can also remove the mask with the -x option:

$ setfacl -x mask:: file1
$ getfacl file1
# file: file1
# owner: megalous
# group: megalous
user::rw-
group::rw-
other::r--

Now, there isn’t a mask applied and we’re back to the normal permission on the file.

In addition, we can also remove multiple specific group entries at once:

$ setfacl -x g:staff:rw-,g:admin:rw- file1

Here, we separate the groups with a comma to remove the groups from the ACL entries.

5. Removing All Extended ACL Entries

Extended ACL entries are access control entries we create for individual users or groups that define access rights to a file.

In fact, we can remove all of them:

$ setfacl -b file1
$ getfacl file1
# file: file1
# owner: megalous
# group: megalous
user::rw-
group::rw-
other::r--

In the code snippet above, we use the -b option with the setfacl command to remove all ACL entries we add. Additionally, we use the getfacl command to get the initial ACL entries on the file.

6. Removing Group Permission Recursively

Let’s suppose we have a directory named projects that contains several subdirectories and files we’re using. Each has group permissions depending on the project team and the level of access it requires:

  • group dev has read and write permission over the directory projects/web
  • group qa has read and execute permission over the directory projects/test

However, we’ve decided to reorganize the projects and move them to a different location.

If we want to remove all the group permissions from a directory and its contents so that only the owner has full access to them, we can do that via setfacl:

$ setfacl -Rb projects

Here, we use the -R option to access the directory recursively and -b to remove all extended ACL entries, including the group entries, from the projects directory and its subdirectories and files.

Notably, standard permissions such as owner, group, and others, remain unchanged.

Moreover, after running this command, we can verify the result by using the getfacl command with any file in the projects directory:

$ getfacl projects/web/index.html
# file: projects/web/index.html
# owner: megalous
# group: megalous
user::rw-
group::r--
other::r--

Evidently, there are no group entries other than the default one for the file group, megalous in this case. The same applies to all the other files under the projects directory.

Additionally, we can remove a particular group entry from a directory and its files recursively:

$ setfacl -Rx g:staff:rw- projects

The code above accesses the directory projects recursively and removes the ACL entry g:staff:rw- from each file inside the projects directory.

7. Conclusion

In this article, we explored different ways to remove group permissions with setfacl.

First, we discussed the setfacl command and the ACL entry syntax. Then, we looked at removing group a specific group entry from the ACL entries, removing all extended ACL entries, and lastly learned how we can remove group permission recursively.