Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SETFACL(1)		  BSD General Commands Manual		    SETFACL(1)

NAME
     setfacl --	set ACL	information

SYNOPSIS
     setfacl [-bdhkn] [-m entries] [-M file1] [-x entries] [-X file1]
	     [file ...]

DESCRIPTION
     The setfacl utility sets discretionary access control information on the
     specified file(s).

     The following options are available:

     -b	     Remove all	ACL entries except for the three required entries.  If
	     the ACL contains a	"mask" entry, the permissions of the "group"
	     entry in the resulting ACL	will be	set to the permission associ-
	     ated with both the	"group"	and "mask" entries of the current ACL.

     -d	     The operations apply to the default ACL entries instead of	access
	     ACL entries.  Currently only directories may have default ACL's.

     -h	     If	the target of the operation is a symbolic link,	perform	the
	     operation on the symbolic link itself, rather than	following the
	     link.

     -k	     Delete any	default	ACL entries on the specified files.  It	is not
	     considered	an error if the	specified files	do not have any	de-
	     fault ACL entries.	 An error will be reported if any of the spec-
	     ified files cannot	have a default entry (i.e. non-directories).

     -m	entries
	     Modify the	ACL entries on the specified files by adding new en-
	     tries and modifying existing ACL entries with the ACL entries
	     specified in entries.

     -M	file
	     Modify the	ACL entries on the specified files by adding new ACL
	     entries and modifying existing ACL	entries	with the ACL entries
	     specified in the file file.  If file is -,	the input is taken
	     from stdin.

     -n	     Do	not recalculate	the permissions	associated with	the ACL	mask
	     entry.

     -x	entries
	     Remove the	ACL entries specified in entries from the access or
	     default ACL of the	specified files.

     -X	file
	     Remove the	ACL entries specified in the file file from the	access
	     or	default	ACL of the specified files.

     The above options are evaluated in	the order specified on the command-
     line.

ACL ENTRIES
     An	ACL entry contains three colon-separated fields: an ACL	tag, an	ACL
     qualifier,	and discretionary access permissions:

     ACL tag
	     The ACL tag specifies the ACL entry type and consists of one of
	     the following: "user" or `u' specifying the access	granted	to the
	     owner of the file or a specified user; "group" or `g' specifying
	     the access	granted	to the file owning group or a specified	group;
	     "other" or	`o' specifying the access granted to any process that
	     does not match any	user or	group ACL entry; "mask"	or `m' speci-
	     fying the maximum access granted to any ACL entry except the
	     "user" ACL	entry for the file owner and the "other" ACL entry.

     ACL qualifier
	     The ACL qualifier field describes the user	or group associated
	     with the ACL entry.  It may consist of one	of the following: uid
	     or	user name, gid or group	name, or empty.	 For "user" ACL	en-
	     tries, an empty field specifies access granted to the file	owner.
	     For "group" ACL entries, an empty field specifies access granted
	     to	the file owning	group.	"mask" and "other" ACL entries do not
	     use this field.

     access permissions
	     The access	permissions field contains up to one of	each of	the
	     following:	`r', `w', and `x' to set read, write, and execute per-
	     missions, respectively.  Each of these may	be excluded or re-
	     placed with a `-' character to indicate no	access.

     A "mask" ACL entry	is required on a file with any ACL entries other than
     the default "user", "group", and "other" ACL entries.  If the -n option
     is	not specified and no "mask" ACL	entry was specified, the setfacl util-
     ity will apply a "mask" ACL entry consisting of the union of the permis-
     sions associated with all "group" ACL entries in the resulting ACL.

     Traditional POSIX interfaces acting on file system	object modes have mod-
     ified semantics in	the presence of	POSIX.1e extended ACLs.	 When a	mask
     entry is present on the access ACL	of an object, the mask entry is	sub-
     stituted for the group bits; this occurs in programs such as stat(1) or
     ls(1).  When the mode is modified on an object that has a mask entry, the
     changes applied to	the group bits will actually be	applied	to the mask
     entry.  These semantics provide for greater application compatibility:
     applications modifying the	mode instead of	the ACL	will see conservative
     behavior, limiting	the effective rights granted by	all of the additional
     user and group entries; this occurs in programs such as chmod(1).

     ACL entries applied from a	file using the -M or -X	options	shall be of
     the following form: one ACL entry per line, as previously specified;
     whitespace	is ignored; any	text after a `#' is ignored (comments).

     When ACL entries are evaluated, the access	check algorithm	checks the ACL
     entries in	the following order: file owner, "user"	ACL entries, file own-
     ing group,	"group"	ACL entries, and "other" ACL entry.

     Multiple ACL entries specified on the command line	are separated by com-
     mas.

DIAGNOSTICS
     The setfacl utility exits 0 on success, and >0 if an error	occurs.

EXAMPLES
	   setfacl -m u::rwx,g:mail:rw file

     Sets read,	write, and execute permissions for the file owner's ACL	entry
     and read and write	permissions for	group mail on file.

	   setfacl -M file1 file2

     Sets/updates the ACL entries contained in file1 on	file2.

	   setfacl -x g:mail:rw	file

     Remove the	group mail ACL entry containing	read/write permissions from
     file.

	   setfacl -bn file

     Remove all	"access" ACL entries except for	the three required from	file.

	   getfacl file1 | setfacl -b -n -M - file2

     Copy ACL entries from file1 to file2.

SEE ALSO
     getfacl(1), acl(3), getextattr(8),	setextattr(8), acl(9), extattr(9)

STANDARDS
     The setfacl utility is expected to	be IEEE	Std 1003.2c compliant.

HISTORY
     Extended Attribute	and Access Control List	support	was developed as part
     of	the TrustedBSD Project and introduced in FreeBSD 5.0.

AUTHORS
     The setfacl utility was written by	Chris D. Faulhaber <jedgar@fxp.org>.

BSD				January	7, 2001				   BSD

NAME | SYNOPSIS | DESCRIPTION | ACL ENTRIES | DIAGNOSTICS | EXAMPLES | SEE ALSO | STANDARDS | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1&manpath=FreeBSD+5.2-RELEASE+and+Ports>

home | help