2 .\" Copyright (c) 2001 Chris D. Faulhaber
3 .\" Copyright (c) 2011 Edward Tomasz NapieraĆa
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 .Nd set ACL information
38 .Op Fl a Ar position entries
41 .Op Fl x Ar entries | position
47 utility sets discretionary access control information on
48 the specified file(s).
49 If no files are specified, or the list consists of the only
51 the file names are taken from the standard input.
53 The following options are available:
54 .Bl -tag -width indent
55 .It Fl a Ar position entries
56 Modify the ACL on the specified files by inserting new
63 This option is only applicable to NFSv4 ACLs.
65 Remove all ACL entries except for the ones synthesized
66 from the file mode - the three mandatory entries in case
68 If the POSIX.1e ACL contains a
70 entry, the permissions of the
72 entry in the resulting ACL will be set to the permission
73 associated with both the
77 entries of the current ACL.
79 The operations apply to the default ACL entries instead of
81 Currently only directories may have
82 default ACL's. This option is not applicable to NFSv4 ACLs.
84 If the target of the operation is a symbolic link, perform the operation
85 on the symbolic link itself, rather than following the link.
87 Delete any default ACL entries on the specified files.
89 is not considered an error if the specified files do not have
90 any default ACL entries.
91 An error will be reported if any of
92 the specified files cannot have a default entry (i.e.\&
93 non-directories). This option is not applicable to NFSv4 ACLs.
95 Modify the ACL on the specified file.
96 New entries will be added, and existing entries will be modified
100 For NFSv4 ACLs, it is recommended to use the
106 Modify the ACL entries on the specified files by adding new
107 ACL entries and modifying existing ACL entries with the ACL
108 entries specified in the file
114 the input is taken from stdin.
116 Do not recalculate the permissions associated with the ACL
117 mask entry. This option is not applicable to NFSv4 ACLs.
118 .It Fl x Ar entries | position
121 is specified, remove the ACL entries specified there
122 from the access or default ACL of the specified files.
123 Otherwise, remove entry at index
127 Remove the ACL entries specified in the file
129 from the access or default ACL of the specified files.
132 The above options are evaluated in the order specified
134 .Sh POSIX.1e ACL ENTRIES
135 A POSIX.1E ACL entry contains three colon-separated fields:
136 an ACL tag, an ACL qualifier, and discretionary access
138 .Bl -tag -width indent
140 The ACL tag specifies the ACL entry type and consists of
141 one of the following:
145 specifying the access
146 granted to the owner of the file or a specified user;
150 specifying the access granted to the file owning group
151 or a specified group;
155 specifying the access
156 granted to any process that does not match any user or group
161 specifying the maximum access
162 granted to any ACL entry except the
164 ACL entry for the file owner and the
167 .It Ar "ACL qualifier"
168 The ACL qualifier field describes the user or group associated with
170 It may consist of one of the following: uid or
171 user name, gid or group name, or empty.
174 ACL entries, an empty field specifies access granted to the
178 ACL entries, an empty field specifies access granted to the
183 ACL entries do not use this field.
184 .It Ar "access permissions"
185 The access permissions field contains up to one of each of
191 to set read, write, and
192 execute permissions, respectively.
193 Each of these may be excluded
196 character to indicate no access.
201 ACL entry is required on a file with any ACL entries other than
210 option is not specified and no
212 ACL entry was specified, the
217 ACL entry consisting of the union of the permissions associated
220 ACL entries in the resulting ACL.
222 Traditional POSIX interfaces acting on file system object modes have
223 modified semantics in the presence of POSIX.1e extended ACLs.
224 When a mask entry is present on the access ACL of an object, the mask
225 entry is substituted for the group bits; this occurs in programs such
230 When the mode is modified on an object that has a mask entry, the
231 changes applied to the group bits will actually be applied to the
233 These semantics provide for greater application compatibility:
234 applications modifying the mode instead of the ACL will see
235 conservative behavior, limiting the effective rights granted by all
236 of the additional user and group entries; this occurs in programs
240 ACL entries applied from a file using the
244 options shall be of the following form: one ACL entry per line, as
245 previously specified; whitespace is ignored; any text after a
247 is ignored (comments).
249 When POSIX.1e ACL entries are evaluated, the access check algorithm checks
250 the ACL entries in the following order: file owner,
252 ACL entries, file owning group,
258 Multiple ACL entries specified on the command line are
261 It is possible for files and directories to inherit ACL entries from their
263 This is accomplished through the use of the default ACL.
264 It should be noted that before you can specify a default ACL, the mandatory
265 ACL entries for user, group, other and mask must be set.
266 For more details see the examples below.
267 Default ACLs can be created by using
269 .Sh NFSv4 ACL ENTRIES
270 An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
271 an ACL qualifier (only for
275 tags), discretionary access permissions, ACL inheritance flags, and ACL type:
276 .Bl -tag -width indent
278 The ACL tag specifies the ACL entry type and consists of
279 one of the following:
283 specifying the access
284 granted to the specified user;
288 specifying the access granted to the specified group;
290 specifying the access granted to the owner of the file;
292 specifying the access granted to the file owning group;
294 specifying everyone. Note that
296 is not the same as traditional Unix
299 literally, everyone, including file owner and owning group.
300 .It Ar "ACL qualifier"
301 The ACL qualifier field describes the user or group associated with
303 It may consist of one of the following: uid or
304 user name, or gid or group name. In entries whose tag type is
310 this field is omitted altogether, including the trailing comma.
311 .It Ar "access permissions"
312 Access permissions may be specified in either short or long form.
313 Short and long forms may not be mixed.
314 Permissions in long form are separated by the
316 character; in short form, they are concatenated together.
317 Valid permissions are:
318 .Bl -tag -width ".Dv modify_set"
351 In addition, the following permission sets may be used:
352 .Bl -tag -width ".Dv modify_set"
356 all permissions, as shown above
358 all permissions except write_acl and write_owner
360 read_data, read_attributes, read_xattr and read_acl
362 write_data, append_data, write_attributes and write_xattr
364 .It Ar "ACL inheritance flags"
365 Inheritance flags may be specified in either short or long form.
366 Short and long forms may not be mixed.
367 Access flags in long form are separated by the
369 character; in short form, they are concatenated together.
370 Valid inheritance flags are:
371 .Bl -tag -width ".Dv short"
386 Other than the "inherited" flag, inheritance flags may be only set on directories.
388 The ACL type field is either
394 ACL entries applied from a file using the
398 options shall be of the following form: one ACL entry per line, as
399 previously specified; whitespace is ignored; any text after a
401 is ignored (comments).
403 NFSv4 ACL entries are evaluated in their visible order.
405 Multiple ACL entries specified on the command line are
408 Note that the file owner is always granted the read_acl, write_acl,
409 read_attributes, and write_attributes permissions, even if the ACL
414 .Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
415 .Dl setfacl -d -m g:admins:rwx dir
417 The first command sets the mandatory elements of the POSIX.1e default ACL.
418 The second command specifies that users in group admins can have read, write, and execute
419 permissions for directory named "dir".
420 It should be noted that any files or directories created underneath "dir" will
421 inherit these default ACLs upon creation.
423 .Dl setfacl -m u::rwx,g:mail:rw file
425 Sets read, write, and execute permissions for the
427 owner's POSIX.1e ACL entry and read and write permissions for group mail on
430 .Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
432 Semantically equal to the example above, but for NFSv4 ACL.
434 .Dl setfacl -M file1 file2
436 Sets/updates the ACL entries contained in
441 .Dl setfacl -x g:mail:rw file
443 Remove the group mail POSIX.1e ACL entry containing read/write permissions
449 Remove the first entry from the NFSv4 ACL from
456 ACL entries except for the three required from
459 .Dl getfacl file1 | setfacl -b -n -M - file2
461 Copy ACL entries from
475 utility is expected to be
477 Std 1003.2c compliant.
479 Extended Attribute and Access Control List support was developed
482 Project and introduced in
484 NFSv4 ACL support was introduced in
490 utility was written by
491 .An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
492 NFSv4 ACL support was implemented by
493 .An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .