// learn Β· linux Β· rhcsa Β· 9 min

Access Control Lists (ACLs).

Standard permissions give you exactly three slots: owner, group, other. ACLs add as many named-user and named-group rules as you need β€” fine-grained access without inventing extra groups. Learn getfacl, setfacl, the mask, and the default ACLs that new files inherit.

Linux POSIX ACLs animated tutorial. getfacl, setfacl, named user and group entries, the ACL mask, default ACLs on directories, and the + indicator in ls -l. RHCSA EX200 ready.
// access control lists

When owner / group / other runs out of slots, ACLs let you attach as many per-user and per-group rules to a file as you need.

// before you start
you should know
  • Β·Solid on standard rwx permissions (the special-permissions lesson)
  • Β·Know what users and groups are
  • Β·Comfortable reading ls -l output
by the end you'll

Read an ACL with getfacl, add named user/group entries with setfacl, understand the mask, and set inheritable default ACLs on directories.

pace: 9 minutes

file ACL β€” step 1 / 6 Β· the ugo limit
$getfacl report.txt
# file: report.txt
# owner: alice # group: devs
user::rw-owner (alice)
group::r--owning group
other::---everyone else

Three slots is not enough

Standard Unix permissions give you exactly three sets of rwx: the owner, ONE group, and everyone else. But what if bob needs read-only and the devs group needs full access to the SAME file, and neither is the owner? You'd have to keep inventing groups. ACLs (Access Control Lists) let you attach as many named-user and named-group rules to a file as you need.

// key insight

The base permissions are ACL entries β€” ACLs just let you add more. Two gotchas that catch everyone: the + in ls -l means "there's an ACL here, run getfacl", and once an ACL exists, ls -l's group column shows the mask, not the owning group's real permission.

// exam-ready Β· getfacl / setfacl
$getfacl FILE
$setfacl -m u:bob:r FILE
$setfacl -m g:devs:rwx FILE
$setfacl -m m::r FILE
$setfacl -x u:bob FILE
$setfacl -b FILE
$setfacl -k DIR
$setfacl -d -m g:devs:rwx DIR
$setfacl -R -m g:devs:rX DIR
$setfacl --restore=acl.bak
$getfacl -R DIR > acl.bak
$cp -a / rsync -A
$ls -l β†’ trailing +
$#effective: in getfacl
$u:: g:: o::
$mount -o acl (older fs)
// check yourself
4 quick questions
Q1

bob (not the owner, not in the group) needs read access to one file, and you don't want to change any group memberships. What's the cleanest fix?

Q2

You see `-rw-rwxr--+ 1 alice devs` in ls -l. What does the + mean, and what is the 'rwx' middle field actually showing?

Q3

What does the ACL mask do?

Q4

You want every new file created under /srv/project to automatically grant the devs group rwx. What do you set?

These aren't graded β€” they're just for active recall, which is what actually makes the lesson stick.

πŸ”‘
// the foundation

chmod calculator

ACLs build on standard rwx β€” the base entries ARE your chmod permissions. Solidify octal vs symbolic here first.

open β†’
// more in linux

keep going β€” these pair well with what you just learned.

see all linux β†’
πŸ›‘οΈ

SELinux contexts

Why Apache can't read your file. Watch the policy engine decide β€” and learn the workflow for fixing denials. RHCSA-ready.

8 min Β· interactiveopen β†’
⚑

Linux boot process

From power button to login prompt. Every stage in the chain β€” UEFI, GRUB, kernel, initramfs, systemd β€” with the rescue moves that save you. RHCSA-ready.

9 min Β· interactiveopen β†’
πŸ’Ύ

LVM stacking

Layer-by-layer build of an LVM stack: disks β†’ PVs β†’ VG β†’ LVs β†’ filesystem. Then extend live and snapshot. RHCSA-ready.

8 min Β· interactiveopen β†’
special permission bitsall lessons