GETFACL(1) Access Control Lists GETFACL(1)
getfacl - get file access control lists
getfacl [-dRLPvh] file ...
getfacl [-dRLPvh] -
For each file, getfacl displays the file name, owner, the group, and the Access Control
List (ACL). If a directory has a default ACL, getfacl also displays the default ACL. Non-
directories cannot have default ACLs.
If getfacl is used on a file system that does not support ACLs, getfacl displays the
access permissions defined by the traditional file mode permission bits.
The output format of getfacl is as follows:
1: # file: somedir/
2: # owner: lisa
3: # group: staff
5: user:joe:rwx #effective:r-x
6: group::rwx #effective:r-x
11: default:user:joe:rwx #effective:r-x
Lines 4, 6 and 9 correspond to the user, group and other fields of the file mode permis-
sion bits. These three are called the base ACL entries. Lines 5 and 7 are named user and
named group entries. Line 8 is the effective rights mask. This entry limits the effective
rights granted to all groups and to named users. (The file owner and others permissions
are not affected by the effective rights mask; all other entries are.) Lines 10--14 dis-
play the default ACL associated with this directory. Directories may have a default ACL.
Regular files never have a default ACL.
The default behavior for getfacl is to display both the ACL and the default ACL, and to
include an effective rights comment for lines where the rights of the entry differ from
the effective rights.
If output is to a terminal, the effective rights comment is aligned to column 40. Other-
wise, a single tab character separates the ACL entry and the effective rights comment.
The ACL listings of multiple files are separated by blank lines. The output of getfacl
can also be used as input to setfacl.
Process with search access to a file (i.e., processes with read access to the containing
directory of a file) are also granted read access to the file's ACLs. This is analogous
to the permissions required for accessing the file mode.
Display the file access control list.
Display the default access control list.
Do not display the comment header (the first three lines of each file's output).
Print all effective rights comments, even if identical to the rights defined by the
Do not print effective rights comments.
Skip files that only have the base ACL entries (owner, group, others).
List the ACLs of all files and directories recursively.
Logical walk, follow symbolic links. The default behavior is to follow symbolic link
arguments, and to skip symbolic links encountered in subdirectories.
Physical walk, skip all symbolic links. This also skips symbolic link arguments.
Use an alternative tabular output format. The ACL and the default ACL are displayed
side by side. Permissions that are ineffective due to the ACL mask entry are displayed
capitalized. The entry tag names for the ACL_USER_OBJ and ACL_GROUP_OBJ entries are
also displayed in capital letters, which helps in spotting those entries.
Do not strip leading slash characters (`/'). The default behavior is to strip leading
Print the version of getfacl and exit.
Print help explaining the command line options.
-- End of command line options. All remaining parameters are interpreted as file names,
even if they start with a dash character.
- If the file name parameter is a single dash character, getfacl reads a list of files
from standard input.
CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17
If the environment variable POSIXLY_CORRECT is defined, the default behavior of getfacl
changes in the following ways: Unless otherwise specified, only the ACL is printed. The
default ACL is only printed if the -d option is given. If no command line parameter is
given, getfacl behaves as if it was invoked as ``getfacl -''.
Andreas Gruenbacher, <email@example.com>.
Please send your bug reports and comments to the above address.
May 2000 ACL File Utilities GETFACL(1)