Understanding chmod, chown, setfacl, and getfacl in Linux
Rohit
Basic Linux Permission Model
Before we dive into the commands, understand the Linux permission structure:
ls -l
-rw-r--r-- 1 user group 1234 Jul 6 12:00 example.txt
-rw-r--r--– permission stringr– read,w– write,x– executeFirst set (user), second (group), third (others)
user– owner of the filegroup– group owner of the file
chmod – Change File Permissions
Syntax:
chmod [options] mode file
Types of Modes:
Symbolic Mode:
u,g,o,a(user, group, others, all)Octal Mode: Numeric representation of permissions
Octal Reference:
4– read2– write1– execute
Examples:
1. Give full permissions to user, read-only to group and others:
chmod 744 file.txt
# -rwxr--r--
2. Add execute permission to user:
chmod u+x script.sh
3. Remove write permission from others:
chmod o-w file.txt
chown – Change File Owner or Group
Syntax:
chown [OPTIONS] [OWNER][:GROUP] FILE
Examples:
1. Change owner:
chown rohit file.txt
2. Change owner and group:
chown rohit:devops file.txt
3. Recursively change ownership:
chown -R rohit:devops /var/www/html
setfacl – Set Access Control Lists (ACLs)
ACLs allow you to grant permissions to multiple users and groups beyond the basic user/group/others model.
Syntax:
setfacl [options] file
Common Options:
-m– modify ACL-x– remove ACL-b– remove all ACLs
Examples:
1. Give read access to user alice:
setfacl -m u:alice:r-- file.txt
2. Give read and write to group editors:
setfacl -m g:editors:rw- file.txt
3. Remove ACL for user alice:
setfacl -x u:alice file.txt
4. Set default ACLs (for directories):
setfacl -d -m u:rohit:rwx my_folder
getfacl – View ACLs
Syntax:
getfacl file
Example:
getfacl file.txt
Output:
# file: file.txt
# owner: rohit
# group: devops
user::rw-
user:alice:r--
group::r--
mask::r--
other::r--
mask– maximum permissions allowed via ACLs (important when combining multiple ACL entries)
Real-Life Scenario Example
Goal:
You have a file project.txt owned by rohit, and you want:
bobto have read-only accessGroup
designersto have read and writePrevent all other users from accessing it
Step-by-step:
touch project.txt
chown rohit:rohit project.txt
chmod 600 project.txt # Only owner can read/write
setfacl -m u:bob:r-- project.txt # Allow bob to read
setfacl -m g:designers:rw- project.txt # Allow group designers to read/write
getfacl project.txt
Resetting Permissions
To remove all ACLs and go back to regular permissions:
setfacl -b file.txt
Summary Table
| Command | Purpose | Key Flag/Usage |
chmod | Change file permissions | chmod 755 file.txt |
chown | Change owner/group | chown user:group file.txt |
setfacl | Add/remove ACL permissions | setfacl -m u:alice:r-- file.txt |
getfacl | View ACL entries | getfacl file.txt |
Pro Tips
ACLs can override traditional Unix permissions.
Always check
getfaclafter applying ACLs to verify changes.Use
umaskor default ACLs to enforce permission policies automatically.
Subscribe to my newsletter
Read articles from Rohit directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Rohit
Rohit
I'm a results-driven professional skilled in both DevOps and Web Development. Here's a snapshot of what I bring to the table: 💻 DevOps Expertise: AWS Certified Solutions Architect Associate: Proficient in deploying and managing applications in the cloud. Automation Enthusiast: Leveraging Python for task automation, enhancing development workflows. 🔧 Tools & Technologies: Ansible, Terraform, Docker, Prometheus, Kubernetes, Linux, Git, Github Actions, EC2, S3, VPC, R53 and other AWS services. 🌐 Web Development: Proficient in HTML, CSS, JavaScript, React, Redux-toolkit, Node.js, Express.js and Tailwind CSS. Specialized in building high-performance websites with Gatsby.js. Let's connect to discuss how my DevOps skills and frontend expertise can contribute to your projects or team. Open to collaboration and always eager to learn! Aside from my work, I've also contributed to open-source projects, like adding a feature for Focalboard Mattermost.