9

A file in a ls -l listing has permissions such as:

-rw-r-----+

How do I find the extended Access Control List (ACL) permissions denoted by the +?

codeforester
  • 742
Tom Hale
  • 30,455
  • That is not really a duplicate. This question is not asking what the + means. Knowing what it means is a premise of the question. This question is asking how, when one knows what + means, one can go about listing out the ACLs, which the answers to the other question actually do not address, referring one to the manual or simply glossing over the entire sbuject. Moreover, an answer that mentions only getfacl when the question is not specific to one operating system is woefully incomplete. – JdeBP Nov 22 '17 at 06:26

2 Answers2

17

The names getfacl and setfacl as in Tom Hale's answer are semi-conventional and are derived from the original TRUSIX names getacl and setacl for these utilities. However, on several operating systems one simply uses just the usual ls and chmod tools, which have been extended to handle ACLs; and one operating system has its own different set of commands.

The original TRUSIX scheme of POSIX-style ACLs has three permission flags in an access control list entry. Later NFS4-style schemes divide up permissions in a more fine grained manner into between 11 and 17 permission flags.

On OpenBSD and NetBSD

This situation does not arise. OpenBSD and NetBSD both lack any ACL mechanisms.

NetBSD implements the system calls in a FreeBSD compatibility layer, but they only return an error. OpenBSD simply doesn't have ACLs at all.

On Linux-based operating systems

Use getfacl as in Tom Hale's answer, or getrichacl. Setting ACLs is done with setfacl or setrichacl.

Linux (a kernel, remember) has two forms of ACL. It supports the both original TRUSIX scheme of POSIX-style ACLs, and (since 2015, but stuck in "experimental" status for a long time because there aren't enough maintainers available to review the VFS layer in Linux) a NFS4-style scheme.

There are several implementations of standard commands on Linux-based operating systems, from toybox through BusyBox to GNU coreutils. But in all cases chmod does not handle ACLs, and ls at most only indicates their overall presence or absence. This is unlike Solaris, Illumos, or MacOS.

Nor is there one tool for getting, or setting, ACLs. setfacl and getfacl handle TRUSIX ACLs, whilst one has to use setrichacl and getrichacl for NFS4-style ACLs. This is unlike FreeBSD.

  • Rob Landley. "chmod". toybox Manual.

On FreeBSD

Use getfacl as in Tom Hale's answer. Setting ACLs is done with setfacl.

FreeBSD has two forms of ACL. One has POSIX-style entries like the original TRUSIX model; the other has NFS4-style entries, with 14 permissions flags.

Unlike on Solaris, Illumos, and MacOS, on FreeBSD chmod does not handle ACLs, and ls only indicates their overall presence or absence. But there is a single tool each for getting and setting ACLs, unlike Linux-based operating systems. The getfacl and setfacl commands on FreeBSD handle both forms of ACL. They have several extensions beyond TRUSIX for the NFS4-style, such as the -v option to getfacl that prints NFS4-style access controls in a long form with words, rather than as a list of single-letter codes.

  • Robert N. M. Watson (2009-09-14). getfacl. FreeBSD General Commands Manual. FreeBSD.

On MacOS

There are no getfacl and setfacl commands on MacOS. MacOS is like Solaris and Illumos.

MacOS only supports NFS4-style access controls, with ACL entries divided up into 17 individual permission flags.

Apple rolled ACL functionality into existing commands. Use the -e option to ls to view ACLs.
Use the -a/+a/=a and related options to chmod to set them.

  • ls. BSD General Commands Manual. 2002-05-19. Apple corporation.

On AIX

There are no getfacl and setfacl commands on AIX. IBM uses its own command names.

AIX supports both POSIX-style (which IBM names "AIXC") and NFS4-style ACLs.

Use the aclget command to get ACLs. Use the aclset command to set them. Use the acledit command to edit them with a text editor. Use the aclconvert command to convert POSIX-style to NFS4-style.

On Illumos and Solaris

There are no getfacl and setfacl commands on Illumos and Solaris. Solaris and Illumos are like MacOS.

Illumos and Solaris support both POSIX-style and NFS4-style ACLs.

Sun rolled ACL functionality into existing commands. Use the -v or -V option to ls to view ACLs. Use the A prefix for symbolic modes in the chmod command to set them.

  • ls. User Commands. 2014-11-24. Illumos Project.
  • chmod. User Commands. 2014-11-24. Illumos Project.
  • ls. Oracle Solaris 11 Information Library. 2011. Oracle.

On Cygwin

Use getfacl as in Tom Hale's answer. Setting ACLs is done with setfacl.

Windows NT itself has an ACL scheme that is roughly NFS4-style with a set of drctpoxfew standard-and-specific permissions flags, albeit with a larger set of security principals and a generic-rights mechanism that maps a POSIX-style set of three flags onto its standard-and-specific-rights permissions system.

Cygwin presents this as a wacky admixture of a Solaris-like ACL API, the ID mapping mechanism from Microsoft second POSIX subsystem for Windows NT (née Interix), and a Linux-like set of command-line tools that only recognize POSIX-style permissions.

  • getfacl. Cygwin Utilities. Cygnus.
Community
  • 1
JdeBP
  • 68,745
4

Use getfacl:

getfacl //var/log/journal/ebaaabbb8e1745b38c4ef233edcdb4cd/user-1000@000548efd8357898-e9a3294394981c9e.journal~
getfacl: Removing leading '/' from absolute path names
# file: var/log/journal/ebaaabbb8e1745b38c4ef233edcdb4cd/user-1000@000548efd83bbb98-e9a329aaa81c9e.journal~
# owner: root
# group: systemd-journal
user::rw-
user:ravi:r--
group::r-x                      #effective:r--
group:adm:r-x                   #effective:r--
group:wheel:r-x                 #effective:r--
mask::r--
other::---

Reference: to learn more about ACLs (eg changing them) see the Arch Linux ACLs wiki page.

Tom Hale
  • 30,455