# Access Control Lists(ACL) in Linux 🔒

> Stop fighting chmod: Meet Linux ACLs (Access Control Lists)

Source: https://extim.su/blog/access-control-listsacl-in-linux-🔒/

<h2><i class="nf nf-fa-linux"></i> Stop fighting chmod: Meet Linux ACLs (Access Control Lists)</h2>
<h3>💥 How often do you use ACL in Linux?</h3>
<p>Traditional permissions (owner/group/other) are great - until you need to grant special access to a single person without changing ownership or groups.</p>
<p>That’s precisely what ACLs do: they let you “tack on” precise per-user or per-group permissions while keeping your base perms intact. They extend, not replace, standard UNIX permissions, and you manage them with setfacl/getfacl.</p>
<h3>Overview commands</h3>
<pre><code>setfacl: Used to set ACL entries
getfacl: Used to retrieve and display ACL entries.
</code></pre>
<p>Examples:</p>
<pre><code>getfacl /etc/resolv.conf
</code></pre>
<p>Output:</p>
<pre><code># file: /etc/resolv.conf
# owner: root
# group: root
user::rw-
group::rw-
other::r--
</code></pre>
<p>Grant read-only access to user garrett:</p>
<pre><code>setfacl -m u:garrett:r-- /etc/resolv.conf
</code></pre>
<p>Deny all permissions for user kenny:</p>
<pre><code>setfacl -m u:kenny:--- /etc/resolv.conf
</code></pre>
<h3>😺 15‑second cheat sheet</h3>
<ul>
<li>See what’s set: getfacl /path/to/file_or_dir</li>
<li>Give a user access: setfacl -m u:kenny:r-x /accounting</li>
<li>Give a group access: setfacl -m g:sales:rw /reports/q4.csv</li>
<li>Default ACLs for new items in a directory: setfacl -d -m g:sales:rw /share</li>
<li>Remove an entry: setfacl -x u:kenny /accounting</li>
</ul>
<h3>😼 Pro tips</h3>
<ul>
<li>Effective permissions can be limited by the ACL mask; getfacl shows this with “#effective”.</li>
<li>Default ACLs on a directory apply to new files and subdirectories created there.</li>
<li>Start with sensible base perms; use ACLs for exceptions and audits, not as a substitute for good group design.</li>
</ul>
<h3>😻 Use case you’ll actually need</h3>
<ul>
<li>Give an intern read-only access to a sensitive folder without reassigning ownership.</li>
<li>Allow the sales group to write invoices, but keep other accounting reports private.</li>
<li>Grant a CEO temporary read/write to a specific subfolder—no group juggling required.</li>
</ul>
<p>Your move. If you’ve ever duplicated data or reshuffled groups to grant one person access, ACLs will save you time and risk.</p>