View extended ACL for a file with '+' in ls -l output
The names getfacl
and setfacl
as in Tom Hale's answer are semi-conventional and are derived from the original TRUSIX names getacl
and setacl
for these utilities.
However, on several operating systems one simply uses just the usual ls
and chmod
tools, which have been extended to handle ACLs; and one operating system has its own different set of commands.
The original TRUSIX scheme of POSIX-style ACLs has three permission flags in an access control list entry. Later NFS4-style schemes divide up permissions in a more fine grained manner into between 11 and 17 permission flags.
- https://superuser.com/a/384500/38062
- Craig Rubin (1989-08-18). Rationale for Selecting Access Control List Features for the Unix System. NCSC-TG-020-A. DIANE Publishing. ISBN 9780788105548.
- Portable Applications Standards Committee of the IEEE Computer Society (October 1997). Draft Standard for Information Technology—Portable Operating System Interface (POSIX)—Part 1: System Application Program Interface (API)— Amendment #: Protection, Audit and Control Interfaces [C Language] IEEE 1003.1e. Draft 17.
- S. Shepler, M. Eisler, D. Noveck (January 2010). "ACE Access Mask". Network File System (NFS) Version 4 Minor Version 1 Protocol. RFC 5661. IETF.
On OpenBSD and NetBSD
This situation does not arise. OpenBSD and NetBSD both lack any ACL mechanisms.
NetBSD implements the system calls in a FreeBSD compatibility layer, but they only return an error. OpenBSD simply doesn't have ACLs at all.
On Linux-based operating systems
Use getfacl
as in Tom Hale's answer, or getrichacl
.
Setting ACLs is done with setfacl
or setrichacl
.
Linux (a kernel, remember) has two forms of ACL. It supports the both original TRUSIX scheme of POSIX-style ACLs, and (since 2015, but stuck in "experimental" status for a long time because there aren't enough maintainers available to review the VFS layer in Linux) a NFS4-style scheme.
There are several implementations of standard commands on Linux-based operating systems, from toybox through BusyBox to GNU coreutils.
But in all cases chmod
does not handle ACLs, and ls
at most only indicates their overall presence or absence.
This is unlike Solaris, Illumos, or MacOS.
Nor is there one tool for getting, or setting, ACLs.
setfacl
and getfacl
handle TRUSIX ACLs, whilst one has to use setrichacl
and getrichacl
for NFS4-style ACLs.
This is unlike FreeBSD.
- Rob Landley. "
chmod
". toybox Manual.
On FreeBSD
Use getfacl
as in Tom Hale's answer. Setting ACLs is done with setfacl
.
FreeBSD has two forms of ACL. One has POSIX-style entries like the original TRUSIX model; the other has NFS4-style entries, with 14 permissions flags.
Unlike on Solaris, Illumos, and MacOS, on FreeBSD chmod
does not handle ACLs, and ls
only indicates their overall presence or absence.
But there is a single tool each for getting and setting ACLs, unlike Linux-based operating systems.
The getfacl
and setfacl
commands on FreeBSD handle both forms of ACL.
They have several extensions beyond TRUSIX for the NFS4-style, such as the -v
option to getfacl
that prints NFS4-style access controls in a long form with words, rather than as a list of single-letter codes.
- Robert N. M. Watson (2009-09-14).
getfacl
. FreeBSD General Commands Manual. FreeBSD.
On MacOS
There are no getfacl
and setfacl
commands on MacOS.
MacOS is like Solaris and Illumos.
MacOS only supports NFS4-style access controls, with ACL entries divided up into 17 individual permission flags.
Apple rolled ACL functionality into existing commands.
Use the -e
option to ls
to view ACLs.
Use the -a
/+a
/=a
and related options to chmod
to set them.
ls
. BSD General Commands Manual. 2002-05-19. Apple corporation.
On AIX
There are no getfacl
and setfacl
commands on AIX.
IBM uses its own command names.
AIX supports both POSIX-style (which IBM names "AIXC") and NFS4-style ACLs.
Use the aclget
command to get ACLs.
Use the aclset
command to set them.
Use the acledit
command to edit them with a text editor.
Use the aclconvert
command to convert POSIX-style to NFS4-style.
- "Access Control List Management". IBM AIX V7.1 documentation. IBM.
On Illumos and Solaris
There are no getfacl
and setfacl
commands on Illumos and Solaris.
Solaris and Illumos are like MacOS.
Illumos and Solaris support both POSIX-style and NFS4-style ACLs.
Sun rolled ACL functionality into existing commands.
Use the -v
or -V
option to ls
to view ACLs.
Use the A
prefix for symbolic modes in the chmod
command to set them.
ls
. User Commands. 2014-11-24. Illumos Project.chmod
. User Commands. 2014-11-24. Illumos Project.ls
. Oracle Solaris 11 Information Library. 2011. Oracle.
On Cygwin
Use getfacl
as in Tom Hale's answer.
Setting ACLs is done with setfacl
.
Windows NT itself has an ACL scheme that is roughly NFS4-style with a set of drctpoxfew
standard-and-specific permissions flags, albeit with a larger set of security principals and a generic-rights mechanism that maps a POSIX-style set of three flags onto its standard-and-specific-rights permissions system.
Cygwin presents this as a wacky admixture of a Solaris-like ACL API, the ID mapping mechanism from Microsoft second POSIX subsystem for Windows NT (née Interix), and a Linux-like set of command-line tools that only recognize POSIX-style permissions.
getfacl
. Cygwin Utilities. Cygnus.
Use getfacl
:
getfacl //var/log/journal/ebaaabbb8e1745b38c4ef233edcdb4cd/[email protected]~
getfacl: Removing leading '/' from absolute path names
# file: var/log/journal/ebaaabbb8e1745b38c4ef233edcdb4cd/[email protected]~
# owner: root
# group: systemd-journal
user::rw-
user:ravi:r--
group::r-x #effective:r--
group:adm:r-x #effective:r--
group:wheel:r-x #effective:r--
mask::r--
other::---
Reference: to learn more about ACLs (eg changing them) see the Arch Linux ACLs wiki page.