You’re not alone.

What Are ACL Masks?

ACL masks are a way to ensure permissions interoperability with programs and utilities that aren’t ACL-aware.

Person using a gaming mouse under pink neon lights next to an RGB keyboard.

aslysun/Shutterstock.com

To put it another way, ittranslatesACL entries into POSIX permissions for the sake of backward compatibility.

Notice the dot (.)

after the permissions set.

A terminal window showing the ls command and its output.

This indicates an SELinux context, which is unrelated to ACLs or ACL masks.

We’ll accomplish this with the setfacl command.

Do you see themaskline in the output of the getfacl command now?

A terminal window showing the getfacl command and its output, with minimal ACL permissions.

In addition to the manager user’s extended ACL entry, this mask entry has been automatically assigned.

Right now, the read permission equates to the read permission of the existing mask.

Now let’s add another user from a second request, contractor, to the ACL of our file.

A terminal window showing the setfacl command to add a user ACL entry, the ls -l command, and the getfacl command and their outputs reflecting the new permissions.

This time, however, we need to give them read and write permissions.

But why did the mask entry change to read and write?

Don’t worry though, the group owner permissions are still reflected as the ‘owning group’ ACL entry.

A terminal window showing the setfacl command to add the contractor user with read and write permissions, and getfacl command and its output, particularly the modified mask permissions..

Effective Permissions

We can set the mask entry permissions manually by using the setfacl command.

This is called effective permissions.

Modifying the mask caused this.

A terminal window showing the setfacl command, modifying the mask, and the getfacl command showing effective permissions.

A terminal window showing the ls command and its output with new group class permissions.

A terminal window showing the setfacl command, adding rwx permissions for the milton user, and getfacl command showing effective permissions of r, due to the use of the -n parameter.

A terminal window showing the mkdir, setfacl and getfacl commands to reflect a default mask assignment