2 .\" Copyright (c) 2001 Chris D. Faulhaber
3 .\" Copyright (c) 2011 Edward Tomasz NapieraĆa
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 .Nd set ACL information
38 .Op Fl a Ar position entries
41 .Op Fl x Ar entries | position
47 utility sets discretionary access control information on
48 the specified file(s).
49 If no files are specified, or the list consists of the only
51 the file names are taken from the standard input.
53 The following options are available:
54 .Bl -tag -width indent
55 .It Fl a Ar position entries
56 Modify the ACL on the specified files by inserting new
63 This option is only applicable to NFSv4 ACLs.
65 Remove all ACL entries except for the three required entries
66 (POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).
67 If the POSIX.1e ACL contains a
69 entry, the permissions of the
71 entry in the resulting ACL will be set to the permission
72 associated with both the
76 entries of the current ACL.
78 The operations apply to the default ACL entries instead of
80 Currently only directories may have
81 default ACL's. This option is not applicable to NFSv4 ACLs.
83 If the target of the operation is a symbolic link, perform the operation
84 on the symbolic link itself, rather than following the link.
86 Delete any default ACL entries on the specified files.
88 is not considered an error if the specified files do not have
89 any default ACL entries.
90 An error will be reported if any of
91 the specified files cannot have a default entry (i.e.\&
92 non-directories). This option is not applicable to NFSv4 ACLs.
94 Modify the ACL entries on the specified files by adding new
95 entries and modifying existing ACL entries with the ACL entries
99 Modify the ACL entries on the specified files by adding new
100 ACL entries and modifying existing ACL entries with the ACL
101 entries specified in the file
107 the input is taken from stdin.
109 Do not recalculate the permissions associated with the ACL
110 mask entry. This option is not applicable to NFSv4 ACLs.
111 .It Fl x Ar entries | position
114 is specified, remove the ACL entries specified there
115 from the access or default ACL of the specified files.
116 Otherwise, remove entry at index
120 Remove the ACL entries specified in the file
122 from the access or default ACL of the specified files.
125 The above options are evaluated in the order specified
127 .Sh POSIX.1e ACL ENTRIES
128 A POSIX.1E ACL entry contains three colon-separated fields:
129 an ACL tag, an ACL qualifier, and discretionary access
131 .Bl -tag -width indent
133 The ACL tag specifies the ACL entry type and consists of
134 one of the following:
138 specifying the access
139 granted to the owner of the file or a specified user;
143 specifying the access granted to the file owning group
144 or a specified group;
148 specifying the access
149 granted to any process that does not match any user or group
154 specifying the maximum access
155 granted to any ACL entry except the
157 ACL entry for the file owner and the
160 .It Ar "ACL qualifier"
161 The ACL qualifier field describes the user or group associated with
163 It may consist of one of the following: uid or
164 user name, gid or group name, or empty.
167 ACL entries, an empty field specifies access granted to the
171 ACL entries, an empty field specifies access granted to the
176 ACL entries do not use this field.
177 .It Ar "access permissions"
178 The access permissions field contains up to one of each of
184 to set read, write, and
185 execute permissions, respectively.
186 Each of these may be excluded
189 character to indicate no access.
194 ACL entry is required on a file with any ACL entries other than
203 option is not specified and no
205 ACL entry was specified, the
210 ACL entry consisting of the union of the permissions associated
213 ACL entries in the resulting ACL.
215 Traditional POSIX interfaces acting on file system object modes have
216 modified semantics in the presence of POSIX.1e extended ACLs.
217 When a mask entry is present on the access ACL of an object, the mask
218 entry is substituted for the group bits; this occurs in programs such
223 When the mode is modified on an object that has a mask entry, the
224 changes applied to the group bits will actually be applied to the
226 These semantics provide for greater application compatibility:
227 applications modifying the mode instead of the ACL will see
228 conservative behavior, limiting the effective rights granted by all
229 of the additional user and group entries; this occurs in programs
233 ACL entries applied from a file using the
237 options shall be of the following form: one ACL entry per line, as
238 previously specified; whitespace is ignored; any text after a
240 is ignored (comments).
242 When POSIX.1e ACL entries are evaluated, the access check algorithm checks
243 the ACL entries in the following order: file owner,
245 ACL entries, file owning group,
251 Multiple ACL entries specified on the command line are
254 It is possible for files and directories to inherit ACL entries from their
256 This is accomplished through the use of the default ACL.
257 It should be noted that before you can specify a default ACL, the mandatory
258 ACL entries for user, group, other and mask must be set.
259 For more details see the examples below.
260 Default ACLs can be created by using
262 .Sh NFSv4 ACL ENTRIES
263 An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
264 an ACL qualifier (only for
268 tags), discretionary access permissions, ACL inheritance flags, and ACL type:
269 .Bl -tag -width indent
271 The ACL tag specifies the ACL entry type and consists of
272 one of the following:
276 specifying the access
277 granted to the specified user;
281 specifying the access granted to the specified group;
283 specifying the access granted to the owner of the file;
285 specifying the access granted to the file owning group;
287 specifying everyone. Note that
289 is not the same as traditional Unix
292 literally, everyone, including file owner and owning group.
293 .It Ar "ACL qualifier"
294 The ACL qualifier field describes the user or group associated with
296 It may consist of one of the following: uid or
297 user name, or gid or group name. In entries whose tag type is
303 this field is omitted altogether, including the trailing comma.
304 .It Ar "access permissions"
305 Access permissions may be specified in either short or long form.
306 Short and long forms may not be mixed.
307 Permissions in long form are separated by the
309 character; in short form, they are concatenated together.
310 Valid permissions are:
311 .Bl -tag -width ".Dv modify_set"
344 In addition, the following permission sets may be used:
345 .Bl -tag -width ".Dv modify_set"
349 all permissions, as shown above
351 all permissions except write_acl and write_owner
353 read_data, read_attributes, read_xattr and read_acl
355 write_data, append_data, write_attributes and write_xattr
357 .It Ar "ACL inheritance flags"
358 Inheritance flags may be specified in either short or long form.
359 Short and long forms may not be mixed.
360 Access flags in long form are separated by the
362 character; in short form, they are concatenated together.
363 Valid inheritance flags are:
364 .Bl -tag -width ".Dv short"
377 Inheritance flags may be only set on directories.
379 The ACL type field is either
385 ACL entries applied from a file using the
389 options shall be of the following form: one ACL entry per line, as
390 previously specified; whitespace is ignored; any text after a
392 is ignored (comments).
394 NFSv4 ACL entries are evaluated in their visible order.
396 Multiple ACL entries specified on the command line are
401 .Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
402 .Dl setfacl -d -m g:admins:rwx dir
404 The first command sets the mandatory elements of the POSIX.1e default ACL.
405 The second command specifies that users in group admins can have read, write, and execute
406 permissions for directory named "dir".
407 It should be noted that any files or directories created underneath "dir" will
408 inherit these default ACLs upon creation.
410 .Dl setfacl -m u::rwx,g:mail:rw file
412 Sets read, write, and execute permissions for the
414 owner's POSIX.1e ACL entry and read and write permissions for group mail on
417 .Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
419 Semantically equal to the example above, but for NFSv4 ACL.
421 .Dl setfacl -M file1 file2
423 Sets/updates the ACL entries contained in
428 .Dl setfacl -x g:mail:rw file
430 Remove the group mail POSIX.1e ACL entry containing read/write permissions
436 Remove the first entry from the NFSv4 ACL from
443 ACL entries except for the three required from
446 .Dl getfacl file1 | setfacl -b -n -M - file2
448 Copy ACL entries from
462 utility is expected to be
464 Std 1003.2c compliant.
466 Extended Attribute and Access Control List support was developed
469 Project and introduced in
471 NFSv4 ACL support was introduced in
477 utility was written by
478 .An Chris D. Faulhaber Aq jedgar@fxp.org .
479 NFSv4 ACL support was implemented by
480 .An Edward Tomasz Napierala Aq trasz@FreeBSD.org .