Learn Linux ACL Permission

ACL (Access Control Lists) – In Linux, ACL (Access Control List) allows us to give specific permissions to users or groups beyond the default owner/group/others model. This is very useful in real-world scenarios where multiple users and teams work on shared directories.

Step 1: Create Users and Groups
# Create users

useradd john
useradd harry

# Create groups

groupadd marketing-depart
groupadd sales-depart

Step 2: Create Directories

mkdir /marketing
mkdir /sales

Step 3: User-based ACL Permissions
Give john full access to /marketing
Give harry full access to /sales
# Set ACL for user john on /marketing

setfacl -m u:john:rwx /marketing

# Set ACL for user harry on /sales

setfacl -m u:harry:rwx /sales

Verify permission
Login as john and test:

su – john
cd /marketing
touch report.txt   # should work
cd /sales
touch fail.txt     # should give permission denied

Login as harry and test:

su – harry
cd /sales
touch data.txt     # should work
cd /marketing
touch fail.txt     # should give permission denied

Step 4: Switch to Group-based ACL
Now let’s use groups instead of direct user ACL.
Remove existing user ACLs:

setfacl -x u:john /marketing
setfacl -x u:harry /sales

Add john to marketing-depart group and harry to sales-depart:

usermod -aG marketing-depart john
usermod -aG sales-depart harry

Set ACL for groups:

sudo setfacl -m g:marketing-depart:rwx /marketing
sudo setfacl -m g:sales-depart:rwx /sales

Verify Group ACL:
Login as john → should be able to write in /marketing but not /sales.
Login as harry → should be able to write in /sales but not /marketing.

More Useful ACL Examples for Students
Check ACLs on a file or directory

getfacl /marketing

Remove all ACL entries (reset directory to normal Linux permissions)

setfacl -b /marketing

Give read-only access to an auditor user

setfacl -m u:audit:r /marketing

Give temporary write access to a trainee user

setfacl -m u:trainee:rw /sales