The ACL mask is used to set the maximum effective permissions for the group owner of a file, named users of a file, and named groups of a file. The maximum permissions of the owner or others are the ones that are set using chmod and not controlled by the ACL mask.
The ACL mask is set on a file using the setfacl command as follows:
$ setfacl -m m::r filename
$ getfacl filename
The getfacl command displays a string #effective: in front of the entries that are restricted by the mask. It gets updated automatically whenever group permissions are updated with chmod.
The following table lists the user types and corresponding ACL precedence in Linux systems:
User type |
ACL precedence |
Owner user |
ACL permissions apply |
Named user |
ACL permissions apply (should be equal to or less than ACL mask) |
Group |
ACL permissions apply (should be equal to or less than ACL mask) |
Named group |
ACL permissions apply (should be equal to or less than ACL mask) |
Others |
ACL permissions apply |