There are two types of ACLs:

  • access ACLs - An access ACL is the access control list for a specific file or directory
  • default ACLs - A default ACL can only be associated with a directory; If a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. All new files or directories created within that directory inherit the same acl rules. To set a default ACL, add d: before the rule and specify a directory instead of a file name.

Sintax: setfacl -m <rules><files>

u:<uid>:<perms> - Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.

g:<gid>:<perms> - Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.

m:<perms> - Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.

o:<perms> - Sets the access ACL for users other than the ones in the group for the file. White space is ignored. Permissions () must be a combination of the characters r, w, and x for read, write, and execute


  • To determine the existing ACLs for a file or directory: getfacl /home/daniel/file.txt
  • Set rw permissions to user daniel: setfacl -m u:daniel:rw file.txt
  • Delete the ACL for user daniel: setfacl -x u:daniel file.txt
  • Delete all ACL for all users: setfacl -b file.txt
  • Set an ACL for a directory: setfacl -m u:daniel:rx apps
  • Set a default ACL: setfacl -m d:u:daniel:rx apps
  • Backup & restore an ACL for a directory:
cd /home/daniel
getfacl -R apps > acl.bak
setfacl --restore acl.bak