Featured

8 Linux Shell Commands for ACL and EA

Managing file permissions and attributes in Linux goes far beyond the familiar chmod, chown, and ls -l commands.

 

Modern file systems support advanced features like Access Control Lists (ACLs), extended attributes (EAs), and capabilities, which allow for much more fine-grained control over who can access what and how. To work with these features, Linux provides a set of specialized commands. In this post, we’ll walk through eight essential shell commands—covering ACLs, EAs, and capabilities—that every Linux administrator or power user should know.

 

attr: Manages the Additional Attributes of a File

attr determines or changes the extended access attributes of the specified files or directories. This only works if the file system supports extended attributes (EAs). For ext3/ext4 file systems, the mount option user_xattr must be used.

 

Instead of attr, you should prefer the getfattr or setfattr commands. attr is only available for reasons of compatibility with IRIX SGI.

 

chacl: Manages the ACLs of a File

chacl determines or changes the extended access rights of the specified files or directories. This only works if the file system supports ACLs (Access Control Lists). For ext3/ext4 file systems, you must use mount option acl.

 

If possible, you should use getfacl or setfacl instead of chacl. chacl is only available for reasons of compatibility with IRIX SGI

 

getcap Determines the capabilities of a file

getcap, from the libcap or libcap-progs package, determines for executable files which operations are permitted for the program (capabilities). Although the Linux kernel has supported capabilities for many years, this function is only used sporadically.

 

Capabilities require a file system with extended attributes. The mount option user_xattr must be used for ext file systems.

 

Example: Some distributions use capabilities for the ping command. Executing this command actually requires root permissions. Instead of simply setting the setuid bit as it was done in the past, which often leads to security problems, we’ve switched to assigning the cap_net_raw+ep permission to ping via setcap. This allows the command to use basic network functions, even if it’s executed by ordinary users.

 

The following getcap result was obtained on Fedora. You can see that only very few commands and Gnome programs use capabilities.

 

user$ getcap /usr/bin/*

/usr/bin/arping cap_net_raw=p

/usr/bin/clockdiff cap_net_raw=p

/usr/bin/newgidmap cap_setgid=ep

/usr/bin/newuidmap cap_setuid=ep

 

An example of how to set capabilities yourself is shown in the description of the setcap command.

 

getfacl: Determines the ACLs of a File

getfacl determines the extended access rights of the specified files or directories. This only works if the file system supports Access Control Lists (ACLs). For ext3/ext4 file systems, the mount option acl must be used. An example can be found in the description of the setfacl command.

  • -d: Displays the standard ACLs.
  • -R: Displays the ACLs of all files in all subdirectories.
  • --skip-base: Returns no results for files to which only the usual Unix access rights apply, but no ACL rules.
  • --tabular: Displays the ACLs in a table.

getfattr: Determines the Additional Attributes of a File

getfattr determines the extended attributes of the specified files or directories. This only works if the file system supports extended attributes (mount option user_xattr for ext file systems). An example can be found in the description of the setfattr command.

  • -d: Provides a list of all user attributes and their settings.
  • -m attribute pattern: Returns the attributes whose names correspond to the specified pattern.
  • -n attribute name: Returns the value of the specified attribute. The full attribute name must be specified, for example, user.attrname.
  • -R: Displays the EAs of all files in all subdirectories.

setcap: Changes the Capabilities of a File

setcap from the libcap-ng-utils package specifies which operations are permitted for the program (capabilities) for executable files. If the -r option is passed instead of capability, all previously defined capabilities will be deleted. Capabilities requires a file system with extended attributes. For this reason, you must use the mount option user_xattr for ext file systems.

 

Example: The ping network command used to be equipped with the setuid bit in many distributions so that it could be used by ordinary users. As soon as you delete this bit, only root is able to use ping:

 

user$ ls -l /usr/bin/ping

-rwsr-xr-x 1 root root 72776 Jan 31 2025 /usr/bin/ping

user$ sudo chmod u-s /bin/ping

user$ ping yahoo.de

ping: icmp open socket: The operation is not permitted

 

Instead of setting the insecure setuid bit again, it’s also sufficient to give the ping command access to the kernel’s network functions by using setcap. You can use getcap to see which capabilities a command has:

 

user$ sudo setcap cap_net_raw=ep /bin/ping

user$ getcap

/bin/ping /bin/ping = cap_net_raw+ep

user$ ping yahoo.de

PING yahoo.de (212.82.102.24) 56(84) bytes of data.

...

rtt min/avg/max/mdev = 58.054/58.054/58.054/0.000 ms

 

In most current distributions, ping is equipped with capabilities by default, for example, on Debian, Fedora, openSUSE, and Ubuntu.

 

setfacl: Changes the ACLs of a File

setfacl changes the extended access rights of the specified files or directories. This only works if the file system supports Access Control Lists (ACLs). For ext3/ext4 file systems, the mount option acl must be used.

 

The command is usually used to perform one of the following four actions:

  • -m aclrule: Adds another rule (an Access Control Entity [ACE]) to the existing ACLs. (m stands for modify.)
  • -M aclrule file: Like -m, but reads the rule from a file. Rule files must look like the output of getfacl.
  • -x aclrule: Deletes the specified ACL rule.
  • -X aclrule file: Like -x, but reads the rule from a file.

The simplified structure of an ACL rule (an ACE) is shown in the following table. The complete syntax is documented in man setfacl.

 

[u:]uid [:rights] Changes rights for a user
g:gid [:rights] Changes rights for a group
o[:] [:rights] Changes rights for all other users
m[:] [:rights] Sets the ACL mask (effective right mask)

 

The rights consist of up to three letters: r for read, w for write, and x for execute. To remove all rights from a user or group, you must specify -.

 

If you prefix the entire rule with d:, it applies to the standard ACLs. Instead of the letters u, g, o, and m, you can also use the user, group, other, and mask keywords.

 

setfacl can be controlled by further options:

  • -B or --remove-all: Removes all ACL rules.
  • -d: Applies the transferred rule to the standard ACL.
  • -k or --remove-default: Removes the standard ACL rules.
  • -n: Dispenses with the automatic recalculation of the ACL mask for every ACL rule change.
  • --restore=file: Applies the ACL rules specified in the file to the files in the current directory. You can create an ACL backup file using getfacl -R.
  • -R: Applies the specified rule recursively to all files and subdirectories.

Example: In a file system with ACLs, the default access rights normally apply, which are often also referred to as the minimum ACL. getfacl displays these rights in ACL form:

 

user$ touch file1

user$ getfacl file1

# file: file1

# owner: kofler

# group: kofler

user::rwgroup::

r--

other::r--

user$ ls -l file1

-rw-r--r-- 1 kofler kofler ... file2

 

Using setfacl, you can now define additional access rules. The following commands give the user grace and all members of the docuteam group write and read access to the file, but deny the user katherine any access:

 

user$ setfacl -m grace:rw file1

user$ setfacl -m g:docuteam:rw file1

user$ setfacl -m katherine:- file1

 

The getfacl rights list is now somewhat longer. With ls -l, the usual access letters are followed by the + sign to indicate that there are ACL rules.

 

user$ getfacl file1

# file: file1

# owner: kofler

# group: kofler

user::rwuser:

grace:rwuser:

katherine:---

group::r--

group:docuteam:rwmask::

rw- other::r--

 

user$ ls -l file1

-rw-rw-r--+ 1 kofler kofler ... file1

 

setfattr: Changes the Additional Attributes of a File

setfattr changes the extended attributes of the selected files or directories. This only works if the file system supports extended attributes (EAs). For ext3/ext4 file systems, the mount option user_xattr must be used.

  • -n attribute name or --name=attribute name: Specifies the name of the attribute to be changed. The actual name must be preceded by user. (i.e., -n user.myattribute).
  • -v value or --value=value: Specifies the value to be saved in the attribute.
  • -x attribute name: Deletes the specified attribute.
  • --restore=file: Applies the EA definitions specified in the file to the files in the current directory. You can create an EA backup file via getfattr -R -d.

Example: The following examples show how you can use setfattr to store attributes and how to read them using getfattr: the number of attributes per file is limited in ext file systems.

 

user$ touch file2

user$ setfattr -n

user.language -v en file2

user$ setfattr --name=user.charset --value=utf8 file2

user$ getfattr -d file2

   # file: file2

user.charset="utf8"

user.language="en"

 

getfattr usually returns only attributes whose name starts with user.. If you want to see other attributes, you must specify their names using -n or their patterns by using -m:

 

user$ getfattr -n security.selinux -d tst

# file: tst security.selinux="user_u:object_r:user_home_t:s0^000"

 

Conclusion

ACLs, extended attributes, and capabilities give you powerful tools for tailoring file permissions and security in Linux. Whether you’re auditing access with getfacl, fine-tuning program permissions with setcap, or adding custom metadata with setfattr, these commands help you go beyond the basics to meet real-world requirements. Understanding and practicing with them will make you more confident in managing modern Linux systems.

 

Editor’s note: This post has been adapted from a section of the book Linux Command Reference: Shell Commands from A to Z by Michael Kofler. Dr. Kofler is a programmer and Linux administrator. He studied electrical engineering/telematics at Graz University of Technology. He has been one of the most successful and versatile computing authors in the German-speaking world for many years. His current topics include Linux, Docker, Git, hacking and security, Raspberry Pi, and the programming languages Swift, JavaPython, and Kotlin. Dr. Kofler also teaches at the Joanneum University of Applied Sciences in Kapfenberg, Austria.

 

This post was originally published 9/2025.

Recommendation

Linux Command Reference
Linux Command Reference

Linux users, your go-to desktop reference is here! Find practical commands for the Linux tasks you perform, from managing files to working with graphics systems to programming with Bash. Commands are grouped by topic and listed alphabetically to help you quickly find what you’re looking for, and options are listed for each entry to help you modify your commands. With detailed descriptions and practical examples, this guide doesn’t just tell you which commands to use—it shows you how to use them, too!

Learn More
Rheinwerk Computing
by Rheinwerk Computing

Rheinwerk Computing is an imprint of Rheinwerk Publishing and publishes books by leading experts in the fields of programming, administration, security, analytics, and more.

Comments

The official Rheinwerk Computing Blog

Rheinwerk Computing is an imprint of Rheinwerk Publishing and publishes resources that will help you accelerate your computing journey. The Rheinwerk Computing Blog is designed to provide helpful, actionable information on a variety of topics, including programming, administration, security, and analytics!

© 2025 Rheinwerk Publishing, Inc. | Change Privacy Options