2 .\" Copyright (c) 2001 Chris D. Faulhaber
3 .\" All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
14 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 .Nd set ACL information
37 .Op Fl a Ar position entries
40 .Op Fl x Ar entries | position
46 utility sets discretionary access control information on
47 the specified file(s).
48 If no files are specified, or the list consists of the only
50 the file names are taken from the standard input.
52 The following options are available:
53 .Bl -tag -width indent
54 .It Fl a Ar position entries
55 Modify the ACL on the specified files by inserting new
62 This option is only applicable to NFSv4 ACLs.
64 Remove all ACL entries except for the three required entries
65 (POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).
66 If the POSIX.1e ACL contains a
68 entry, the permissions of the
70 entry in the resulting ACL will be set to the permission
71 associated with both the
75 entries of the current ACL.
77 The operations apply to the default ACL entries instead of
79 Currently only directories may have
80 default ACL's. This option is not applicable to NFSv4 ACLs.
82 If the target of the operation is a symbolic link, perform the operation
83 on the symbolic link itself, rather than following the link.
85 Delete any default ACL entries on the specified files.
87 is not considered an error if the specified files do not have
88 any default ACL entries.
89 An error will be reported if any of
90 the specified files cannot have a default entry (i.e.\&
91 non-directories). This option is not applicable to NFSv4 ACLs.
93 Modify the ACL entries on the specified files by adding new
94 entries and modifying existing ACL entries with the ACL entries
98 Modify the ACL entries on the specified files by adding new
99 ACL entries and modifying existing ACL entries with the ACL
100 entries specified in the file
106 the input is taken from stdin.
108 Do not recalculate the permissions associated with the ACL
109 mask entry. This option is not applicable to NFSv4 ACLs.
110 .It Fl x Ar entries | position
113 is specified, remove the ACL entries specified there
114 from the access or default ACL of the specified files.
115 Otherwise, remove entry at index
119 Remove the ACL entries specified in the file
121 from the access or default ACL of the specified files.
124 The above options are evaluated in the order specified
126 .Sh POSIX.1e ACL ENTRIES
127 A POSIX.1E ACL entry contains three colon-separated fields:
128 an ACL tag, an ACL qualifier, and discretionary access
130 .Bl -tag -width indent
132 The ACL tag specifies the ACL entry type and consists of
133 one of the following:
137 specifying the access
138 granted to the owner of the file or a specified user;
142 specifying the access granted to the file owning group
143 or a specified group;
147 specifying the access
148 granted to any process that does not match any user or group
153 specifying the maximum access
154 granted to any ACL entry except the
156 ACL entry for the file owner and the
159 .It Ar "ACL qualifier"
160 The ACL qualifier field describes the user or group associated with
162 It may consist of one of the following: uid or
163 user name, gid or group name, or empty.
166 ACL entries, an empty field specifies access granted to the
170 ACL entries, an empty field specifies access granted to the
175 ACL entries do not use this field.
176 .It Ar "access permissions"
177 The access permissions field contains up to one of each of
183 to set read, write, and
184 execute permissions, respectively.
185 Each of these may be excluded
188 character to indicate no access.
193 ACL entry is required on a file with any ACL entries other than
202 option is not specified and no
204 ACL entry was specified, the
209 ACL entry consisting of the union of the permissions associated
212 ACL entries in the resulting ACL.
214 Traditional POSIX interfaces acting on file system object modes have
215 modified semantics in the presence of POSIX.1e extended ACLs.
216 When a mask entry is present on the access ACL of an object, the mask
217 entry is substituted for the group bits; this occurs in programs such
222 When the mode is modified on an object that has a mask entry, the
223 changes applied to the group bits will actually be applied to the
225 These semantics provide for greater application compatibility:
226 applications modifying the mode instead of the ACL will see
227 conservative behavior, limiting the effective rights granted by all
228 of the additional user and group entries; this occurs in programs
232 ACL entries applied from a file using the
236 options shall be of the following form: one ACL entry per line, as
237 previously specified; whitespace is ignored; any text after a
239 is ignored (comments).
241 When POSIX.1e ACL entries are evaluated, the access check algorithm checks
242 the ACL entries in the following order: file owner,
244 ACL entries, file owning group,
250 Multiple ACL entries specified on the command line are
253 It is possible for files and directories to inherit ACL entries from their
255 This is accomplished through the use of the default ACL.
256 It should be noted that before you can specify a default ACL, the mandatory
257 ACL entries for user, group, other and mask must be set.
258 For more details see the examples below.
259 Default ACLs can be created by using
261 .Sh NFSv4 ACL ENTRIES
262 An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
263 an ACL qualifier (only for
267 tags), discretionary access permissions, ACL inheritance flags, and ACL type:
268 .Bl -tag -width indent
270 The ACL tag specifies the ACL entry type and consists of
271 one of the following:
275 specifying the access
276 granted to the specified user;
280 specifying the access granted to the specified group;
282 specifying the access granted to the owner of the file;
284 specifying the access granted to the file owning group;
286 specifying everyone. Note that
288 is not the same as traditional Unix
291 literally, everyone, including file owner and owning group.
292 .It Ar "ACL qualifier"
293 The ACL qualifier field describes the user or group associated with
295 It may consist of one of the following: uid or
296 user name, or gid or group name. In entries whose tag type is
302 this field is ommited altogether, including the trailing comma.
303 .It Ar "access permissions"
304 Access permissions may be specified in either short or long form.
305 Short and long forms may not be mixed.
306 Permissions in long form are separated by the
308 character; in short form, they are concatenated together.
309 Valid permissions are:
310 .Bl -tag -width ".Dv short"
342 .It Ar "ACL inheritance flags"
343 Inheritance flags may be specified in either short or long form.
344 Short and long forms may not be mixed.
345 Access flags in long form are separated by the
347 character; in short form, they are concatenated together.
348 Valid inheritance flags are:
349 .Bl -tag -width ".Dv short"
362 Inheritance flags may be only set on directories.
364 The ACL type field is either
370 ACL entries applied from a file using the
374 options shall be of the following form: one ACL entry per line, as
375 previously specified; whitespace is ignored; any text after a
377 is ignored (comments).
379 NFSv4 ACL entries are evaluated in their visible order.
381 Multiple ACL entries specified on the command line are
386 .Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
387 .Dl setfacl -d -m g:admins:rwx dir
389 The first command sets the mandatory elements of the POSIX.1e default ACL.
390 The second command specifies that users in group admins can have read, write, and execute
391 permissions for directory named "dir".
392 It should be noted that any files or directories created underneath "dir" will
393 inherit these default ACLs upon creation.
395 .Dl setfacl -m u::rwx,g:mail:rw file
397 Sets read, write, and execute permissions for the
399 owner's POSIX.1e ACL entry and read and write permissions for group mail on
402 .Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
404 Semantically equal to the example above, but for NFSv4 ACL.
406 .Dl setfacl -M file1 file2
408 Sets/updates the ACL entries contained in
413 .Dl setfacl -x g:mail:rw file
415 Remove the group mail POSIX.1e ACL entry containing read/write permissions
421 Remove the first entry from the NFSv4 ACL from
428 ACL entries except for the three required from
431 .Dl getfacl file1 | setfacl -b -n -M - file2
433 Copy ACL entries from
447 utility is expected to be
449 Std 1003.2c compliant.
451 Extended Attribute and Access Control List support was developed
454 Project and introduced in
459 utility was written by
460 .An Chris D. Faulhaber Aq jedgar@fxp.org .