Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
SETFACL(1)              FreeBSD General Commands Manual             SETFACL(1)

NAME
     setfacl - set ACL information

SYNOPSIS
     setfacl [-bdhkn] [-a position entries] [-m entries] [-M file]
             [-x entries | position] [-X file] [file ...]

DESCRIPTION
     The setfacl utility sets discretionary access control information on the
     specified file(s).  If no files are specified, or the list consists of
     the only `-', the file names are taken from the standard input.

     The following options are available:

     -a position entries
             Modify the ACL on the specified files by inserting new ACL
             entries specified in entries, starting at position position,
             counting from zero.  This option is only applicable to NFSv4
             ACLs.

     -b      Remove all ACL entries except for the three required entries
             (POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).  If the
             POSIX.1e ACL contains a ``mask'' entry, the permissions of the
             ``group'' entry in the resulting ACL will be set to the
             permission associated with both the ``group'' and ``mask''
             entries of the current ACL.

     -d      The operations apply to the default ACL entries instead of access
             ACL entries.  Currently only directories may have default ACL's.
             This option is not applicable to NFSv4 ACLs.

     -h      If the target of the operation is a symbolic link, perform the
             operation on the symbolic link itself, rather than following the
             link.

     -k      Delete any default ACL entries on the specified files.  It is not
             considered an error if the specified files do not have any
             default ACL entries.  An error will be reported if any of the
             specified files cannot have a default entry (i.e. non-
             directories).  This option is not applicable to NFSv4 ACLs.

     -m entries
             Modify the ACL entries on the specified files by adding new
             entries and modifying existing ACL entries with the ACL entries
             specified in entries.

     -M file
             Modify the ACL entries on the specified files by adding new ACL
             entries and modifying existing ACL entries with the ACL entries
             specified in the file file.  If file is -, the input is taken
             from stdin.

     -n      Do not recalculate the permissions associated with the ACL mask
             entry.  This option is not applicable to NFSv4 ACLs.

     -x entries | position
             If entries is specified, remove the ACL entries specified there
             from the access or default ACL of the specified files.
             Otherwise, remove entry at index position, counting from zero.

     -X file
             Remove the ACL entries specified in the file file from the access
             or default ACL of the specified files.

     The above options are evaluated in the order specified on the command-
     line.

POSIX.1e ACL ENTRIES
     A POSIX.1E ACL entry contains three colon-separated fields: an ACL tag,
     an ACL qualifier, and discretionary access permissions:

     ACL tag
             The ACL tag specifies the ACL entry type and consists of one of
             the following: ``user'' or `u' specifying the access granted to
             the owner of the file or a specified user; ``group'' or `g'
             specifying the access granted to the file owning group or a
             specified group; ``other'' or `o' specifying the access granted
             to any process that does not match any user or group ACL entry;
             ``mask'' or `m' specifying the maximum access granted to any ACL
             entry except the ``user'' ACL entry for the file owner and the
             ``other'' ACL entry.

     ACL qualifier
             The ACL qualifier field describes the user or group associated
             with the ACL entry.  It may consist of one of the following: uid
             or user name, gid or group name, or empty.  For ``user'' ACL
             entries, an empty field specifies access granted to the file
             owner.  For ``group'' ACL entries, an empty field specifies
             access granted to the file owning group.  ``mask'' and ``other''
             ACL entries do not use this field.

     access permissions
             The access permissions field contains up to one of each of the
             following: `r', `w', and `x' to set read, write, and execute
             permissions, respectively.  Each of these may be excluded or
             replaced with a `-' character to indicate no access.

     A ``mask'' ACL entry is required on a file with any ACL entries other
     than the default ``user'', ``group'', and ``other'' ACL entries.  If the
     -n option is not specified and no ``mask'' ACL entry was specified, the
     setfacl utility will apply a ``mask'' ACL entry consisting of the union
     of the permissions associated with all ``group'' ACL entries in the
     resulting ACL.

     Traditional POSIX interfaces acting on file system object modes have
     modified semantics in the presence of POSIX.1e extended ACLs.  When a
     mask entry is present on the access ACL of an object, the mask entry is
     substituted for the group bits; this occurs in programs such as stat(1)
     or ls(1).  When the mode is modified on an object that has a mask entry,
     the changes applied to the group bits will actually be applied to the
     mask entry.  These semantics provide for greater application
     compatibility: applications modifying the mode instead of the ACL will
     see conservative behavior, limiting the effective rights granted by all
     of the additional user and group entries; this occurs in programs such as
     chmod(1).

     ACL entries applied from a file using the -M or -X options shall be of
     the following form: one ACL entry per line, as previously specified;
     whitespace is ignored; any text after a `#' is ignored (comments).

     When POSIX.1e ACL entries are evaluated, the access check algorithm
     checks the ACL entries in the following order: file owner, ``user'' ACL
     entries, file owning group, ``group'' ACL entries, and ``other'' ACL
     entry.

     Multiple ACL entries specified on the command line are separated by
     commas.

     It is possible for files and directories to inherit ACL entries from
     their parent directory.  This is accomplished through the use of the
     default ACL.  It should be noted that before you can specify a default
     ACL, the mandatory ACL entries for user, group, other and mask must be
     set.  For more details see the examples below.  Default ACLs can be
     created by using -d.

NFSv4 ACL ENTRIES
     An NFSv4 ACL entry contains four or five colon-separated fields: an ACL
     tag, an ACL qualifier (only for ``user'' and ``group'' tags),
     discretionary access permissions, ACL inheritance flags, and ACL type:

     ACL tag
             The ACL tag specifies the ACL entry type and consists of one of
             the following: ``user'' or `u' specifying the access granted to
             the specified user; ``group'' or `g' specifying the access
             granted to the specified group; ``owner@'' specifying the access
             granted to the owner of the file; ``group@'' specifying the
             access granted to the file owning group; ``everyone@'' specifying
             everyone.  Note that ``everyone@'' is not the same as traditional
             Unix ``other'' - it means, literally, everyone, including file
             owner and owning group.

     ACL qualifier
             The ACL qualifier field describes the user or group associated
             with the ACL entry.  It may consist of one of the following: uid
             or user name, or gid or group name.  In entries whose tag type is
             one of ``owner@'', ``group@'', or ``everyone@'', this field is
             ommited altogether, including the trailing comma.

     access permissions
             Access permissions may be specified in either short or long form.
             Short and long forms may not be mixed.  Permissions in long form
             are separated by the `/' character; in short form, they are
             concatenated together.  Valid permissions are:

             Short      Long

             r          read_data

             w          write_data

             x          execute

             p          append_data

             d          delete_child

             D          delete

             a          read_attributes

             A          write_attributes

             R          read_xattr

             W          write_xattr

             c          read_acl

             C          write_acl

             o          write_owner

             S          synchronize

     ACL inheritance flags
             Inheritance flags may be specified in either short or long form.
             Short and long forms may not be mixed.  Access flags in long form
             are separated by the `/' character; in short form, they are
             concatenated together.  Valid inheritance flags are:

             Short      Long

             f          file_inherit

             d          dir_inherit

             i          inherit_only

             n          no_propagate

             Inheritance flags may be only set on directories.

     ACL type
             The ACL type field is either ``allow'' or ``deny''.

     ACL entries applied from a file using the -M or -X options shall be of
     the following form: one ACL entry per line, as previously specified;
     whitespace is ignored; any text after a `#' is ignored (comments).

     NFSv4 ACL entries are evaluated in their visible order.

     Multiple ACL entries specified on the command line are separated by
     commas.

EXIT STATUS
     The setfacl utility exits 0 on success, and >0 if an error occurs.

EXAMPLES
           setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
           setfacl -d -m g:admins:rwx dir

     The first command sets the mandatory elements of the POSIX.1e default
     ACL.  The second command specifies that users in group admins can have
     read, write, and execute permissions for directory named "dir".  It
     should be noted that any files or directories created underneath "dir"
     will inherit these default ACLs upon creation.

           setfacl -m u::rwx,g:mail:rw file

     Sets read, write, and execute permissions for the file owner's POSIX.1e
     ACL entry and read and write permissions for group mail on file.

           setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file

     Semantically equal to the example above, but for NFSv4 ACL.

           setfacl -M file1 file2

     Sets/updates the ACL entries contained in file1 on file2.

           setfacl -x g:mail:rw file

     Remove the group mail POSIX.1e ACL entry containing read/write
     permissions from file.

           setfacl -x0 file

     Remove the first entry from the NFSv4 ACL from file.

           setfacl -bn file

     Remove all ``access'' ACL entries except for the three required from
     file.

           getfacl file1 | setfacl -b -n -M - file2

     Copy ACL entries from file1 to file2.

SEE ALSO
     getfacl(1), acl(3), getextattr(8), setextattr(8), acl(9), extattr(9)

STANDARDS
     The setfacl utility is expected to be IEEE Std 1003.2c compliant.

HISTORY
     Extended Attribute and Access Control List support was developed as part
     of the TrustedBSD Project and introduced in FreeBSD 5.0.  NFSv4 ACL
     support was introduced in FreeBSD 8.1.

AUTHORS
     The setfacl utility was written by Chris D. Faulhaber <jedgar@fxp.org>.
     NFSv4 ACL support was implemented by Edward Tomasz Napierala
     <trasz@FreeBSD.org>.

FreeBSD 11.0-PRERELEASE          May 13, 2010          FreeBSD 11.0-PRERELEASE

NAME | SYNOPSIS | DESCRIPTION | POSIX.1e ACL ENTRIES | NFSv4 ACL ENTRIES | EXIT STATUS | EXAMPLES | SEE ALSO | STANDARDS | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1&manpath=FreeBSD+8.1-RELEASE>

home | help