Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
setfacl(1)			 User Commands			    setfacl(1)

NAME
       setfacl - modify	the Access Control List	(ACL) for a file or files

SYNOPSIS
       setfacl [-r] -s acl_entries file

       setfacl [-r] -md	acl_entries file

       setfacl [-r] -f acl_file	file

DESCRIPTION
       For  each  file	specified, setfacl will	either replace its entire ACL,
       including the default ACL on a directory, or it will  add,  modify,  or
       delete  one  or more ACL	entries, including default entries on directo-
       ries.

       When the	setfacl	command	is used, it may	result	in   changes  to   the
       file   permission  bits.	 When the user ACL entry for the file owner is
       changed,	the file owner	class  permission bits	 will	be   modified.
       When  the group ACL entry for the file group class is changed, the file
       group class permission bits will	be modified. When the other ACL	 entry
       is changed, the file other class	permission bits	will be	modified.

       If  you use the chmod(1)	command	to change the file group owner permis-
       sions on	a file with ACL	entries, both the file group owner permissions
       and  the	ACL mask are changed to	the new	permissions. Be	aware that the
       new ACL mask permissions	may change the effective permissions for addi-
       tional users and	groups who have	ACL entries on the file.

       A  directory may	contain	default	ACL entries. If	a file or directory is
       created in a directory that contains default  ACL  entries,  the	 newly
       created	file  will have	permissions generated according	to the	inter-
       section of the default ACL entries and  the  permissions	 requested  at
       creation	 time.	The umask(1) will not be applied if the	directory con-
       tains default ACL entries. If a default ACL is specified	for a specific
       user  (or  users), the file will	have a regular ACL created. Otherwise,
       only the	mode bits will be initialized according	 to  the  intersection
       described  above.  The  default ACL should be thought of	as the maximum
       discretionary access permissions	that may be granted.

   acl_entries Syntax
       For the -m and -s options, acl_entries are one or more  comma-separated
       ACL entries.

       An ACL entry consists of	the following fields separated by colons:

       entry_type      Type of ACL entry on which to set file permissions. For
		       example,	entry_type can be user (the owner of  a	 file)
		       or mask (the ACL	mask).

       uid or gid      User name or user identification	number.	Or, group name
		       or group	identification number.

       perms	       Represents the permissions that are set on  entry_type.
		       perms  can  be indicated	by the symbolic	characters rwx
		       or a number (the	same permissions numbers used with the
		       chmod command).

       The  following  table  shows the	valid ACL entries (default entries may
       only be specified for directories):

       ACL Entry		     Description
       u[ser]::perms		     File owner	permissions.
       g[roup]::perms		     File group	owner permissions.
       o[ther]:perms		     Permissions for  users  other  than
				     the  file	owner or members of file
				     group owner.
       m[ask]:perms		     The ACL mask. The mask entry  indi-
				     cates  the	 maximum permissions al-
				     lowed for	users  (other  than  the
				     owner)  and for groups. The mask is
				     a quick way to  change  permissions
				     on	all the	users and groups.
       u[ser]:uid:perms		     Permissions  for  a  specific user.
				     For uid, you can specify  either  a
				     user name or a numeric UID.
       g[roup]:gid:perms	     Permissions  for  a specific group.
				     For gid, you can specify  either  a
				     group name	or a numeric GID.
       d[efault]:u[ser]::perms	     Default file owner	permissions.
       d[efault]:g[roup]::perms	     Default  file  group  owner permis-
				     sions.
       d[efault]:o[ther]:perms	     Default permissions for users other
				     than  the	file owner or members of
				     the file group owner.
       d[efault]:m[ask]:perms	     Default ACL mask.
       d[efault]:u[ser]:uid:perms    Default permissions for a	specific
				     user.  For	uid, you can specify ei-
				     ther a user name or a numeric UID.
       d[efault]:g[roup]:gid:perms   Default permissions for a	specific
				     group. For	gid, you can specify ei-
				     ther a group name or a numeric GID.

       For the -d option, acl_entries are one or more comma-separated ACL  en-
       tries without permissions. Notice that the entries for file owner, file
       group owner, ACL	mask, and others may not be deleted.

OPTIONS
       The options have	the following meaning:

       -d acl_entries  Deletes one or more entries from	the file. The  entries
		       for  the	 file  owner, the file group owner, and	others
		       may not be deleted from the ACL.	Notice	that  deleting
		       an  entry  does not necessarily have the	same effect as
		       removing	all permissions	from the entry.

       -f acl_file     Seta a file's ACL with the ACL entries contained	in the
		       file  named acl_file. The same constraints on specified
		       entries hold as with the	-s option. The entries are not
		       required	to be in any specific order in the file. Also,
		       if you specify a	dash '-' for acl_file, standard	 input
		       is used to set the file's ACL.

		       The character "#" in acl_file may be used to indicate a
		       comment.	All characters,	starting with  the  "#"	 until
		       the  end	 of  the line, will be ignored.	Notice that if
		       the acl_file has	been created as	the output of the get-
		       facl(1)	command, any effective permissions, which will
		       follow a	"#", will be ignored.

       -m acl_entries  Adds one	or more	new ACL	entries	to  the	 file,	and/or
		       modifies	 one or	more existing ACL entries on the file.
		       If an entry already exists for a	specified uid or  gid,
		       the specified permissions will replace the current per-
		       missions. If an entry does not exist for	the  specified
		       uid or gid, an entry will be created. When using	the -m
		       option to modify	a default ACL, you must	specify	a com-
		       plete  default  ACL  (user, group, other, mask, and any
		       additional entries) the first time.

       -r	       Recalculates the	permissions for	the  ACL  mask	entry.
		       The permissions specified in the	ACL mask entry are ig-
		       nored and replaced by the maximum permissions necessary
		       to  grant the access to all additional user, file group
		       owner, and additional group entries  in	the  ACL.  The
		       permissions  in	the additional user, file group	owner,
		       and additional group entries are	left unchanged.

       -s acl_entries  Sets a file's ACL. All old ACL entries are removed  and
		       replaced	with the newly specified ACL. The entries need
		       not be in any specific order. They will	be  sorted  by
		       the command before being	applied	to the file.

		       Required	entries:

			 o  Exactly  one  user	entry  specified  for the file
			    owner.

			 o  Exactly one	group entry for	the file group owner.

			 o  Exactly one	other entry specified.

		       If there	are additional user and	group entries:

			 o  Exactly one	mask entry specified for the ACL  mask
			    that indicates the maximum permissions allowed for
			    users (other than the owner) and groups.

			 o  Must not be	duplicate user entries with  the  same
			    uid.

			 o  Must  not be duplicate group entries with the same
			    gid.

		       If file is a directory, the following default  ACL  en-
		       tries may be specified:

			 o  Exactly one	default	user entry for the file	owner.

			 o  Exactly one	default	group entry for	the file group
			    owner.

			 o
			    Exactly one	default	mask entry for the ACL mask.

			 o  Exactly one	default	other entry.

		       There may be additional default user entries and	 addi-
		       tional  default	group entries specified, but there may
		       not be duplicate	additional default user	 entries  with
		       the  same  uid, or duplicate default group entries with
		       the same	gid.

EXAMPLES
       Example 1: Adding read permission only

       The following example adds one ACL entry	to file	abc, which gives  user
       shea read permission only.

       setfacl -m user:shea:r--	abc

       Example 2: Replacing a file's entire ACL

       The  following  example replaces	the entire ACL for the file abc, which
       gives shea read access, the file	owner all access, the file group owner
       read access only, the ACL mask read access only,	and others no access.

       setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:---	abc

       Notice that after this command, the file	permission bits	are rwxr-----.
       Even though the file group owner	was set	with  read/write  permissions,
       the ACL mask entry limits it to have only read permission. The mask en-
       try also	specifies the maximum permissions available to all  additional
       user  and  group	ACL entries. Once again, even though the user shea was
       set with	all access, the	mask limits it to have only  read  permission.
       The  ACL	 mask  entry is	a quick	way to limit or	open access to all the
       user and	group entries in an ACL. For example, by changing the mask en-
       try  to	read/write,  both  the file group owner	and user shea would be
       given read/write	access.

       Example 3: Setting the same ACL on two files

       The following example sets the same ACL on file abc as the file xyz.

       getfacl xyz | setfacl -f	- abc

FILES
       /etc/passwd     password	file

       /etc/group      group file

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       chmod(1),   getfacl(1),	 umask(1),   aclcheck(3SEC),	aclsort(3SEC),
       group(4), passwd(4), attributes(5)

SunOS 5.10			  31 Oct 2002			    setfacl(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=setfacl&manpath=SunOS+5.10>

home | help