How to change File Permission in Linux – Secondary Permission

      Comments Off on How to change File Permission in Linux – Secondary Permission

Secondary permission is nothing but SETFACL [Set File Access Control List]. It will be used when we have to give permission to particular users or group,

Lets start with an example:

# setfacl -m u:admin:rwx /test

This admin user is in ec2-user group and you can see how can we give permission to admin user and revert it.

[[email protected] devopstree ~]$ cd /test/
-bash: cd: /test/: Permission denied

[[email protected] 5 ~]$ sudo setfacl -m u:ec2-user:r-x /test/

[[email protected] devopstree ~]$ cd /test/

[[email protected] devopstree test]$
[[email protected] 5 ~]$ sudo setfacl -m g:ec2-user:--- /test

[[email protected] devopstree ec2-user]$ cd /test/

[adm[email protected] devopstree test]$ cd

[[email protected]~]$ sudo setfacl -m g:ec2-user:--- /test

[[email protected]~]$ cd /test/
bash: cd: /test/: Permission denied

=> Here it denies because admin user is in ec2-user group. sudo used to get root access.

=> Even when 777 permission has set and we have denied permission to a specified user via setfacl, that user can’t access anything,

[[email protected] devopstree ~]# chmod 777 /test

[[email protected] devopstree ~# setfacl -m u:admin:--- /test/

[[email protected] devopstree ~]# su admin

[[email protected] devopstree ~]$ ls /test/
ls: cannot open directory /test/: Permission denied

=> We can check whether the setfacl permission set or not by,


# getfacl <directory
# getfacl /test/
# file: test/
# owner: root
# group: root

==> In this we can see Mask but it is not effective. Mask can restrict the permissions for users and group even when we have given full permission to the users and groups.. Mask will recalculate the permission even if ACL has given full access.

# setfacl -m m::x /test
[[email protected] ~]# getfacl /test/
getfacl: Removing leading '/' from absolute path names
# file: test/
# owner: root
# group: root
group::rwx #effective:--x

=> Here, even if the group has full permission, users from the group can’t do any works except execution because mask is effective for group, so user from the group only has execution permission..

=> To remove mask we should use,

# setfacl -b <dir>

here, -b =>  Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained.

==> Even after we delete mask the same permission will be remain for the users of the group, we should give permission again using chmod…

Sharing is caring!


I'm an IT professional having multiple years of experience in IT Infrastructure planning, System integrations, Project implementation, and delivery. DevOps Enthusiast skilled with broad ranges of technology adoption. Well versed with Cloud Computing and Application Service Offerings such as SaaS/PaaS/IaaS. Expert in aligning business goals, mission and process to architect innovative solutions and strategies.