getfacl may be executed on a file system that does not support ACLs. It reports the ACL based on the base permission bits.
With no options specified, getfacl displays the filename, the owner, the group, and both the ACL and the default ACL, if it exists.
# file: filename # owner: uid # group: gid user::perm user:uid:perm group::perm group:gid:perm mask:perm other:perm default:user::perm default:user:uid:perm default:group::perm default:group:gid:perm default:mask:perm default:other:perm
When multiple files are specified on the command line, a blank line separates the ACLs for each file.
The ACL entries are displayed in the order in which they are evaluated when an access check is performed. The default ACL entries that may exist on a directory have no effect on access checks.
The first three lines display the filename, the file owner, and the file owning group. Note that when only the -d option is specified and the file has no default ACL, only these three lines are displayed.
The user entry without a user ID indicates the permissions that are granted to the owner of the file. One or more additional user entries indicate the permissions that are granted to the specified users.
The group entry without a group ID indicates the permissions that are granted to the owning group of the file. One or more additional group entries indicate the permissions that are granted to the specified groups.
The mask entry indicates the file group mask permissions. These are the maximum permissions allowed to any user entries except the file owner, and to any group entries, including the owning group. These permissions restrict the permissions specified in other entries.
The other entry indicates the permissions that are granted to others.
The default entries may exist only for directories, and indicate the default entries that are added to a file created within the directory.
The uid is a login name or a user ID if there is no entry for the uid in the system password file, /etc/passwd. The gid is a group name or a group ID if there is no entry for the gid in the system group file, /etc/group. The perm is a three character string composed of the letters representing the separate discretionary access rights: r (read), w (write), x (execute/search), or the place holder character -. The perm is displayed in the following order: rwx. If a permission is not granted by an ACL entry, the place holder character appears.
The file owner permission bits represent the access of the owning user ACL entry. The file group class permission bits represent the most access that any additional user entries, additional group entries, or the owning group entry may grant. The file other class permission bits represent the access that the other ACL entry has. If a user invokes the chmod(1) command and changes the file group class permission bits, the access granted by additional ACL entries may be restricted.
In order to indicate that the file group class permission bits restrict an ACL entry, getfacl displays an additional tab character, pound sign ("#"), and the actual permissions granted, following the entry.
host% getfacl foo
# file: foo # owner: shea # group: staff user::rwx user:spy:--- user:mookie:r-- group::r-- mask::rw- other::---
host% getfacl foo
# file: foo # owner: shea # group: staff user::rwx user:spy:--- user:mookie:r-- #effective:--- group::r-- #effective:--- mask::--- other::---
- Given directory "doo", with an ACL containing default entries, the command
host% getfacl -d doo
# file: doo # owner: shea # group: staff default:user::rwx default:user:spy:--- default:user:mookie:r-- default:group::r-- default:mask::--- default:other::---
- system password file
- group file
See Alsochmod(1) , ls(1) , setfacl(1) , acl(2) , aclsort(3) , group(4) , passwd(4)
NotesThe output from getfacl is in the correct format for input to the setfacl command. If the output from getfacl is redirected to a file, the file may be used as input to setfacl. In this way, a user may easily assign one file’s ACL to another file.
Table of Contents