FreeBSD Manual Pages

home | help
SETFACL(1)		FreeBSD	General	Commands Manual		    SETFACL(1)

NAME
     setfacl --	set ACL	information

SYNOPSIS
     setfacl [-bdhkn] [-a position entries] [-m	entries] [-M file]
	     [-x entries | position] [-X file] [file ...]

DESCRIPTION
     The setfacl utility sets discretionary access control information on the
     specified file(s).	 If no files are specified, or the list	consists of
     the only `-', the file names are taken from the standard input.

     The following options are available:

     -a	position entries
	     Modify the	ACL on the specified files by inserting	new ACL
	     entries specified in entries, starting at position	position,
	     counting from zero.  This option is only applicable to NFSv4
	     ACLs.

     -b	     Remove all	ACL entries except for the ones	synthesized from the
	     file mode - the three mandatory entries in	case of	POSIX.1e ACL.
	     If	the POSIX.1e ACL contains a ``mask'' entry, the	permissions of
	     the ``group'' entry in the	resulting ACL will be set to the per-
	     mission associated	with both the ``group''	and ``mask'' entries
	     of	the current ACL.

     -d	     The operations apply to the default ACL entries instead of	access
	     ACL entries.  Currently only directories may have default ACL's.
	     This option is not	applicable to NFSv4 ACLs.

     -h	     If	the target of the operation is a symbolic link,	perform	the
	     operation on the symbolic link itself, rather than	following the
	     link.

     -k	     Delete any	default	ACL entries on the specified files.  It	is not
	     considered	an error if the	specified files	do not have any
	     default ACL entries.  An error will be reported if	any of the
	     specified files cannot have a default entry (i.e. non-directo-
	     ries).  This option is not	applicable to NFSv4 ACLs.

     -m	entries
	     Modify the	ACL on the specified file.  New	entries	will be	added,
	     and existing entries will be modified according to	the entries
	     argument.	For NFSv4 ACLs,	it is recommended to use the -a	and -x
	     options instead.

     -M	file
	     Modify the	ACL entries on the specified files by adding new ACL
	     entries and modifying existing ACL	entries	with the ACL entries
	     specified in the file file.  If file is -,	the input is taken
	     from stdin.

     -n	     Do	not recalculate	the permissions	associated with	the ACL	mask
	     entry.  This option is not	applicable to NFSv4 ACLs.

     -x	entries	| position
	     If	entries	is specified, remove the ACL entries specified there
	     from the access or	default	ACL of the specified files.  Other-
	     wise, remove entry	at index position, counting from zero.

     -X	file
	     Remove the	ACL entries specified in the file file from the	access
	     or	default	ACL of the specified files.

     The above options are evaluated in	the order specified on the command-
     line.

POSIX.1e ACL ENTRIES
     A POSIX.1E	ACL entry contains three colon-separated fields: an ACL	tag,
     an	ACL qualifier, and discretionary access	permissions:

     ACL tag
	     The ACL tag specifies the ACL entry type and consists of one of
	     the following: ``user'' or	`u' specifying the access granted to
	     the owner of the file or a	specified user;	``group'' or `g' spec-
	     ifying the	access granted to the file owning group	or a specified
	     group; ``other'' or `o' specifying	the access granted to any
	     process that does not match any user or group ACL entry; ``mask''
	     or	`m' specifying the maximum access granted to any ACL entry
	     except the	``user'' ACL entry for the file	owner and the
	     ``other'' ACL entry.

     ACL qualifier
	     The ACL qualifier field describes the user	or group associated
	     with the ACL entry.  It may consist of one	of the following: uid
	     or	user name, gid or group	name, or empty.	 For ``user'' ACL
	     entries, an empty field specifies access granted to the file
	     owner.  For ``group'' ACL entries,	an empty field specifies
	     access granted to the file	owning group.  ``mask''	and ``other''
	     ACL entries do not	use this field.

     access permissions
	     The access	permissions field contains up to one of	each of	the
	     following:	`r', `w', and `x' to set read, write, and execute per-
	     missions, respectively.  Each of these may	be excluded or
	     replaced with a `-' character to indicate no access.

     A ``mask''	ACL entry is required on a file	with any ACL entries other
     than the default ``user'',	``group'', and ``other'' ACL entries.  If the
     -n	option is not specified	and no ``mask''	ACL entry was specified, the
     setfacl utility will apply	a ``mask'' ACL entry consisting	of the union
     of	the permissions	associated with	all ``group'' ACL entries in the
     resulting ACL.

     Traditional POSIX interfaces acting on file system	object modes have mod-
     ified semantics in	the presence of	POSIX.1e extended ACLs.	 When a	mask
     entry is present on the access ACL	of an object, the mask entry is	sub-
     stituted for the group bits; this occurs in programs such as stat(1) or
     ls(1).  When the mode is modified on an object that has a mask entry, the
     changes applied to	the group bits will actually be	applied	to the mask
     entry.  These semantics provide for greater application compatibility:
     applications modifying the	mode instead of	the ACL	will see conservative
     behavior, limiting	the effective rights granted by	all of the additional
     user and group entries; this occurs in programs such as chmod(1).

     ACL entries applied from a	file using the -M or -X	options	shall be of
     the following form: one ACL entry per line, as previously specified;
     whitespace	is ignored; any	text after a `#' is ignored (comments).

     When POSIX.1e ACL entries are evaluated, the access check algorithm
     checks the	ACL entries in the following order: file owner,	``user'' ACL
     entries, file owning group, ``group'' ACL entries,	and ``other'' ACL
     entry.

     Multiple ACL entries specified on the command line	are separated by com-
     mas.

     It	is possible for	files and directories to inherit ACL entries from
     their parent directory.  This is accomplished through the use of the
     default ACL.  It should be	noted that before you can specify a default
     ACL, the mandatory	ACL entries for	user, group, other and mask must be
     set.  For more details see	the examples below.  Default ACLs can be cre-
     ated by using -d.

NFSv4 ACL ENTRIES
     An	NFSv4 ACL entry	contains four or five colon-separated fields: an ACL
     tag, an ACL qualifier (only for ``user'' and ``group'' tags), discre-
     tionary access permissions, ACL inheritance flags,	and ACL	type:

     ACL tag
	     The ACL tag specifies the ACL entry type and consists of one of
	     the following: ``user'' or	`u' specifying the access granted to
	     the specified user; ``group'' or `g' specifying the access
	     granted to	the specified group; ``owner@''	specifying the access
	     granted to	the owner of the file; ``group@'' specifying the
	     access granted to the file	owning group; ``everyone@'' specifying
	     everyone.	Note that ``everyone@''	is not the same	as traditional
	     Unix ``other'' - it means,	literally, everyone, including file
	     owner and owning group.

     ACL qualifier
	     The ACL qualifier field describes the user	or group associated
	     with the ACL entry.  It may consist of one	of the following: uid
	     or	user name, or gid or group name.  In entries whose tag type is
	     one of ``owner@'',	``group@'', or ``everyone@'', this field is
	     omitted altogether, including the trailing	comma.

     access permissions
	     Access permissions	may be specified in either short or long form.
	     Short and long forms may not be mixed.  Permissions in long form
	     are separated by the `/' character; in short form,	they are con-
	     catenated together.  Valid	permissions are:

	     Short	 Long

	     r		 read_data

	     w		 write_data

	     x		 execute

	     p		 append_data

	     D		 delete_child

	     d		 delete

	     a		 read_attributes

	     A		 write_attributes

	     R		 read_xattr

	     W		 write_xattr

	     c		 read_acl

	     C		 write_acl

	     o		 write_owner

	     s		 synchronize

	     In	addition, the following	permission sets	may be used:

	     Set	 Permissions

	     full_set	 all permissions, as shown above

	     modify_set	 all permissions except	write_acl and write_owner

	     read_set	 read_data, read_attributes, read_xattr	and read_acl

	     write_set	 write_data, append_data, write_attributes and
			 write_xattr

     ACL inheritance flags
	     Inheritance flags may be specified	in either short	or long	form.
	     Short and long forms may not be mixed.  Access flags in long form
	     are separated by the `/' character; in short form,	they are con-
	     catenated together.  Valid	inheritance flags are:

	     Short  Long

	     f	    file_inherit

	     d	    dir_inherit

	     i	    inherit_only

	     n	    no_propagate

	     I	    inherited

	     Other than	the "inherited"	flag, inheritance flags	may be only
	     set on directories.

     ACL type
	     The ACL type field	is either ``allow'' or ``deny''.

     ACL entries applied from a	file using the -M or -X	options	shall be of
     the following form: one ACL entry per line, as previously specified;
     whitespace	is ignored; any	text after a `#' is ignored (comments).

     NFSv4 ACL entries are evaluated in	their visible order.

     Multiple ACL entries specified on the command line	are separated by com-
     mas.

     Note that the file	owner is always	granted	the read_acl, write_acl,
     read_attributes, and write_attributes permissions,	even if	the ACL	would
     deny it.

EXIT STATUS
     The setfacl utility exits 0 on success, and >0 if an error	occurs.

EXAMPLES
	   setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
	   setfacl -d -m g:admins:rwx dir

     The first command sets the	mandatory elements of the POSIX.1e default
     ACL.  The second command specifies	that users in group admins can have
     read, write, and execute permissions for directory	named "dir".  It
     should be noted that any files or directories created underneath "dir"
     will inherit these	default	ACLs upon creation.

	   setfacl -m u::rwx,g:mail:rw file

     Sets read,	write, and execute permissions for the file owner's POSIX.1e
     ACL entry and read	and write permissions for group	mail on	file.

	   setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file

     Semantically equal	to the example above, but for NFSv4 ACL.

	   setfacl -M file1 file2

     Sets/updates the ACL entries contained in file1 on	file2.

	   setfacl -x g:mail:rw	file

     Remove the	group mail POSIX.1e ACL	entry containing read/write permis-
     sions from	file.

	   setfacl -x0 file

     Remove the	first entry from the NFSv4 ACL from file.

	   setfacl -bn file

     Remove all	``access'' ACL entries except for the three required from
     file.

	   getfacl file1 | setfacl -b -n -M - file2

     Copy ACL entries from file1 to file2.

SEE ALSO
     getfacl(1), acl(3), getextattr(8),	setextattr(8), acl(9), extattr(9)

STANDARDS
     The setfacl utility is expected to	be IEEE	Std 1003.2c compliant.

HISTORY
     Extended Attribute	and Access Control List	support	was developed as part
     of	the TrustedBSD Project and introduced in FreeBSD 5.0.  NFSv4 ACL sup-
     port was introduced in FreeBSD 8.1.

AUTHORS
     The setfacl utility was written by	Chris D. Faulhaber <jedgar@fxp.org>.
     NFSv4 ACL support was implemented by Edward Tomasz	Napierala
     <trasz@FreeBSD.org>.

FreeBSD	11.1		       January 23, 2016			  FreeBSD 11.1
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1&manpath=FreeBSD+11.0-RELEASE+and+Ports>
home | help
Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
