Frequently Asked Question

What are ACLs, and when do I need getfacl and setfacl?

The classic owner/group/other model can only grant access along three lines, which becomes awkward the moment you need "alice and bob can write, charlie can only read, and everyone else stays out". POSIX Access Control Lists (ACLs) extend the filesystem to attach arbitrarily many user- and group-specific entries to a file or directory. setfacl -m u:alice:rw,u:bob:rw,u:charlie:r file does precisely that; getfacl file shows the full ACL and an ls -l displays a trailing + to flag that an ACL is present.

ACLs need filesystem support, ext4, XFS, Btrfs, and ZFS all handle them; some older filesystems do not, and a mount option (acl, on by default on modern distributions). Directories can carry default ACLs that new entries inherit (setfacl -d -m g:developers:rwx dir/), which is the cleanest way to set up a shared project tree. The downside is that ACLs are easy to forget about: an ordinary ls -l does not show them, and backup or rsync commands need the right flags (rsync -A or cp --preserve=xattr) to carry them across.