2 .\" Copyright (c) 2001 Chris D. Faulhaber
3 .\" Copyright (c) 2011 Edward Tomasz NapieraĆa
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 .Nd set ACL information
38 .Op Fl a Ar position entries
41 .Op Fl x Ar entries | position
47 utility sets discretionary access control information on
48 the specified file(s).
49 If no files are specified, or the list consists of the only
51 the file names are taken from the standard input.
53 The following options are available:
54 .Bl -tag -width indent
55 .It Fl a Ar position entries
56 Modify the ACL on the specified files by inserting new
63 This option is only applicable to NFSv4 ACLs.
65 Remove all ACL entries except for the ones synthesized
66 from the file mode - the three mandatory entries in case
68 If the POSIX.1e ACL contains a
70 entry, the permissions of the
72 entry in the resulting ACL will be set to the permission
73 associated with both the
77 entries of the current ACL.
79 The operations apply to the default ACL entries instead of
81 Currently only directories may have
82 default ACL's. This option is not applicable to NFSv4 ACLs.
84 If the target of the operation is a symbolic link, perform the operation
85 on the symbolic link itself, rather than following the link.
87 Delete any default ACL entries on the specified files.
89 is not considered an error if the specified files do not have
90 any default ACL entries.
91 An error will be reported if any of
92 the specified files cannot have a default entry (i.e.\&
93 non-directories). This option is not applicable to NFSv4 ACLs.
95 Modify the ACL on the specified file.
96 New entries will be added, and existing entries will be modified
100 For NFSv4 ACLs, it is recommended to use the
106 Modify the ACL entries on the specified files by adding new
107 ACL entries and modifying existing ACL entries with the ACL
108 entries specified in the file
114 the input is taken from stdin.
116 Do not recalculate the permissions associated with the ACL
118 This option is not applicable to NFSv4 ACLs.
119 .It Fl x Ar entries | position
122 is specified, remove the ACL entries specified there
123 from the access or default ACL of the specified files.
124 Otherwise, remove entry at index
128 Remove the ACL entries specified in the file
130 from the access or default ACL of the specified files.
133 The above options are evaluated in the order specified
135 .Sh POSIX.1e ACL ENTRIES
136 A POSIX.1E ACL entry contains three colon-separated fields:
137 an ACL tag, an ACL qualifier, and discretionary access
139 .Bl -tag -width indent
141 The ACL tag specifies the ACL entry type and consists of
142 one of the following:
146 specifying the access
147 granted to the owner of the file or a specified user;
151 specifying the access granted to the file owning group
152 or a specified group;
156 specifying the access
157 granted to any process that does not match any user or group
162 specifying the maximum access
163 granted to any ACL entry except the
165 ACL entry for the file owner and the
168 .It Ar "ACL qualifier"
169 The ACL qualifier field describes the user or group associated with
171 It may consist of one of the following: uid or
172 user name, gid or group name, or empty.
175 ACL entries, an empty field specifies access granted to the
179 ACL entries, an empty field specifies access granted to the
184 ACL entries do not use this field.
185 .It Ar "access permissions"
186 The access permissions field contains up to one of each of
192 to set read, write, and
193 execute permissions, respectively.
194 Each of these may be excluded
197 character to indicate no access.
202 ACL entry is required on a file with any ACL entries other than
211 option is not specified and no
213 ACL entry was specified, the
218 ACL entry consisting of the union of the permissions associated
221 ACL entries in the resulting ACL.
223 Traditional POSIX interfaces acting on file system object modes have
224 modified semantics in the presence of POSIX.1e extended ACLs.
225 When a mask entry is present on the access ACL of an object, the mask
226 entry is substituted for the group bits; this occurs in programs such
231 When the mode is modified on an object that has a mask entry, the
232 changes applied to the group bits will actually be applied to the
234 These semantics provide for greater application compatibility:
235 applications modifying the mode instead of the ACL will see
236 conservative behavior, limiting the effective rights granted by all
237 of the additional user and group entries; this occurs in programs
241 ACL entries applied from a file using the
245 options shall be of the following form: one ACL entry per line, as
246 previously specified; whitespace is ignored; any text after a
248 is ignored (comments).
250 When POSIX.1e ACL entries are evaluated, the access check algorithm checks
251 the ACL entries in the following order: file owner,
253 ACL entries, file owning group,
259 Multiple ACL entries specified on the command line are
262 It is possible for files and directories to inherit ACL entries from their
264 This is accomplished through the use of the default ACL.
265 It should be noted that before you can specify a default ACL, the mandatory
266 ACL entries for user, group, other and mask must be set.
267 For more details see the examples below.
268 Default ACLs can be created by using
270 .Sh NFSv4 ACL ENTRIES
271 An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
272 an ACL qualifier (only for
276 tags), discretionary access permissions, ACL inheritance flags, and ACL type:
277 .Bl -tag -width indent
279 The ACL tag specifies the ACL entry type and consists of
280 one of the following:
284 specifying the access
285 granted to the specified user;
289 specifying the access granted to the specified group;
291 specifying the access granted to the owner of the file;
293 specifying the access granted to the file owning group;
298 is not the same as traditional Unix
301 literally, everyone, including file owner and owning group.
302 .It Ar "ACL qualifier"
303 The ACL qualifier field describes the user or group associated with
305 It may consist of one of the following: uid or
306 user name, or gid or group name.
307 In entries whose tag type is one of
312 this field is omitted altogether, including the trailing comma.
313 .It Ar "access permissions"
314 Access permissions may be specified in either short or long form.
315 Short and long forms may not be mixed.
316 Permissions in long form are separated by the
318 character; in short form, they are concatenated together.
319 Valid permissions are:
320 .Bl -tag -width ".Dv modify_set"
353 In addition, the following permission sets may be used:
354 .Bl -tag -width ".Dv modify_set"
358 all permissions, as shown above
360 all permissions except write_acl and write_owner
362 read_data, read_attributes, read_xattr and read_acl
364 write_data, append_data, write_attributes and write_xattr
366 .It Ar "ACL inheritance flags"
367 Inheritance flags may be specified in either short or long form.
368 Short and long forms may not be mixed.
369 Access flags in long form are separated by the
371 character; in short form, they are concatenated together.
372 Valid inheritance flags are:
373 .Bl -tag -width ".Dv short"
388 Other than the "inherited" flag, inheritance flags may be only set on directories.
390 The ACL type field is either
396 ACL entries applied from a file using the
400 options shall be of the following form: one ACL entry per line, as
401 previously specified; whitespace is ignored; any text after a
403 is ignored (comments).
405 NFSv4 ACL entries are evaluated in their visible order.
407 Multiple ACL entries specified on the command line are
410 Note that the file owner is always granted the read_acl, write_acl,
411 read_attributes, and write_attributes permissions, even if the ACL
416 .Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
417 .Dl setfacl -d -m g:admins:rwx dir
419 The first command sets the mandatory elements of the POSIX.1e default ACL.
420 The second command specifies that users in group admins can have read, write, and execute
421 permissions for directory named "dir".
422 It should be noted that any files or directories created underneath "dir" will
423 inherit these default ACLs upon creation.
425 .Dl setfacl -m u::rwx,g:mail:rw file
427 Sets read, write, and execute permissions for the
429 owner's POSIX.1e ACL entry and read and write permissions for group mail on
432 .Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
434 Semantically equal to the example above, but for NFSv4 ACL.
436 .Dl setfacl -M file1 file2
438 Sets/updates the ACL entries contained in
443 .Dl setfacl -x g:mail:rw file
445 Remove the group mail POSIX.1e ACL entry containing read/write permissions
451 Remove the first entry from the NFSv4 ACL from
458 ACL entries except for the three required from
461 .Dl getfacl file1 | setfacl -b -n -M - file2
463 Copy ACL entries from
477 utility is expected to be
479 Std 1003.2c compliant.
481 Extended Attribute and Access Control List support was developed
484 Project and introduced in
486 NFSv4 ACL support was introduced in
492 utility was written by
493 .An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
494 NFSv4 ACL support was implemented by
495 .An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .