Arch Linux: Setting ACLs for Proper File Permissions
Use setfacl on Arch Linux to give shared directories per-user, per-group permissions that new files inherit automatically — no more chmod -R after every deploy.
If a webserver, a deploy user, and your own account all need to write to /srv/http, plain Unix permissions get awkward fast — you end up either making everything 777 or running chmod -R after every deploy. Access Control Lists (ACLs) let you grant per-user and per-group access on the same directory, and the default: flavor makes new files inherit those rules automatically.
Here’s how I set it up on Arch.
Prerequisites
Before we start, make sure you have ACL support installed and enabled on your filesystem.
Install ACL Support
sudo pacman -S aclEnable ACL Support
Most modern Linux filesystems (like ext4) have ACL support enabled by default. If not, you might need to remount the filesystem with ACL support. You can add acl to the options in /etc/fstab and remount the filesystem.
Set Permissions for Existing Files and Directories
To set the ACLs for an existing directory and ensure all files and subdirectories within it inherit the permissions:
sudo setfacl -R -m u:devkraken:rwx /srv/http/dir-name
sudo setfacl -R -m g:http:rwx /srv/http/dir-nameSet Default ACLs for New Files and Directories
To ensure that new files and directories created within the dir-name directory automatically inherit the correct permissions:
sudo setfacl -d -m u:devkraken:rwx /srv/http/dir-name
sudo setfacl -d -m g:http:rwx /srv/http/dir-nameVerify ACLs
You can verify the ACLs using the getfacl command:
getfacl /srv/http/dir-nameThe output should look like this:
# file: srv/http/dir-name
# owner: http
# group: http
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:devkraken:rwx
default:group::rwx
default:other::r-xCreating a New File to Test Inherited Permissions
To verify that the settings are applied correctly, create a new file in the dir-name directory:
touch /srv/http/dir-name/newfile.txtThen check the permissions of the new file:
getfacl /srv/http/dir-name/newfile.txtThe output should show:
# file: srv/http/dir-name/newfile.txt
# owner: devkraken
# group: http
user::rwx
user:devkraken:rwx
group::rwx
other::r-xThis indicates that the new file has inherited the correct permissions for the devkraken user and the http group.
Wrap-up
Once the default ACLs are in place, every new file under that directory inherits the right access without you having to think about it. chmod -R after deploy goes away, and the webserver, your user, and the deploy user can each write their own files cleanly.
Related
- chmod Calculator — interactive converter for the octal and symbolic permission values referenced throughout this post (755, 644, 777, setuid).
- Set up SSH for multiple Git accounts — another “stop fighting your dev machine” setup.
- Docker Tricks in 2026 — non-root containers and volume permission fixes in Docker.
- How to factory-reset Docker — when permission errors show up inside containers.