setfacl
—
set ACL information
setfacl |
[]
[ -bdhkn ]
[-a
position entries ]
[-m
entries ]
[-M
file ]
[-x
entries |
position ]
[-X
file ]
[file ... ] |
The
setfacl
utility sets discretionary access
control information on the specified file(s). If no files are specified, or
the list consists of the only
‘
-
’, the file names are taken
from the standard input.
The following options are available:
-a
position entries
- Modify the ACL on the specified files by inserting new ACL entries
specified in entries, starting at
position position, counting from zero.
This option is only applicable to NFSv4 ACLs.
-b
- Remove all ACL entries except for the ones synthesized from the file mode
- the three mandatory entries in case of POSIX.1e ACL. If the POSIX.1e ACL
contains a “
mask
” entry, the
permissions of the “group
” entry in
the resulting ACL will be set to the permission associated with both the
“group
” and
“mask
” entries of the current
ACL.
-d
- The operations apply to the default ACL entries instead of access ACL
entries. Currently only directories may have default ACL's. This option is
not applicable to NFSv4 ACLs.
-h
- If the target of the operation is a symbolic link, perform the operation
on the symbolic link itself, rather than following the link.
-H
- If the
-R
option is specified, symbolic
links on the command line are followed and hence unaffected by the
command. (Symbolic links encountered during tree traversal are not
followed.)
-k
- Delete any default ACL entries on the specified files. It is not
considered an error if the specified files do not have any default ACL
entries. An error will be reported if any of the specified files cannot
have a default entry (i.e., non-directories). This option is not
applicable to NFSv4 ACLs.
-L
- If the
-R
option is specified, all
symbolic links are followed.
-m
entries
- Modify the ACL on the specified file. New entries will be added, and
existing entries will be modified according to the
entries argument. For NFSv4 ACLs, it is
recommended to use the
-a
and
-x
options instead.
-M
file
- Modify the ACL entries on the specified files by adding new ACL entries
and modifying existing ACL entries with the ACL entries specified in the
file file. If
file is
-
, the input is taken from stdin.
-n
- Do not recalculate the permissions associated with the ACL mask entry.
This option is not applicable to NFSv4 ACLs.
-P
- If the
-R
option is specified, no
symbolic links are followed. This is the default.
-R
- Perform the action recursively on any specified directories. When
modifying or adding NFSv4 ACL entries, inheritance flags are applied only
to directories.
-x
entries |
position
- If entries is specified, remove the ACL
entries specified there from the access or default ACL of the specified
files. Otherwise, remove entry at index
position, counting from zero.
-X
file
- Remove the ACL entries specified in the file
file from the access or default ACL of
the specified files.
The above options are evaluated in the order specified on the command-line.
A POSIX.1E ACL entry contains three colon-separated fields: an ACL tag, an ACL
qualifier, and discretionary access permissions:
- ACL tag
- The ACL tag specifies the ACL entry type and consists of one of the
following: “
user
” or
‘u
’ specifying the access granted to
the owner of the file or a specified user;
“group
” or
‘g
’ specifying the access granted to
the file owning group or a specified group;
“other
” or
‘o
’ specifying the access granted to
any process that does not match any user or group ACL entry;
“mask
” or
‘m
’ specifying the maximum access
granted to any ACL entry except the
“user
” ACL entry for the file owner
and the “other
” ACL entry.
- ACL qualifier
- The ACL qualifier field describes the user or group associated with the
ACL entry. It may consist of one of the following: uid or user name, gid
or group name, or empty. For “
user
”
ACL entries, an empty field specifies access granted to the file owner.
For “group
” ACL entries, an empty
field specifies access granted to the file owning group.
“mask
” and
“other
” ACL entries do not use this
field.
- access permissions
- The access permissions field contains up to one of each of the following:
‘
r
’,
‘w
’, and
‘x
’ to set read, write, and execute
permissions, respectively. Each of these may be excluded or replaced with
a ‘-
’ character to indicate no
access.
A “
mask
” ACL entry is required on a file
with any ACL entries other than the default
“
user
”,
“
group
”, and
“
other
” ACL entries. If the
-n
option is not specified and no
“
mask
” ACL entry was specified, the
setfacl
utility will apply a
“
mask
” ACL entry consisting of the union
of the permissions associated with all
“
group
” ACL entries in the resulting
ACL.
Traditional POSIX interfaces acting on file system object modes have modified
semantics in the presence of POSIX.1e extended ACLs. When a mask entry is
present on the access ACL of an object, the mask entry is substituted for the
group bits; this occurs in programs such as
stat(1)
or
ls(1).
When the mode is modified on an object that has a mask entry, the changes
applied to the group bits will actually be applied to the mask entry. These
semantics provide for greater application compatibility: applications
modifying the mode instead of the ACL will see conservative behavior, limiting
the effective rights granted by all of the additional user and group entries;
this occurs in programs such as
chmod(1).
ACL entries applied from a file using the
-M
or
-X
options shall be of the following
form: one ACL entry per line, as previously specified; whitespace is ignored;
any text after a ‘
#
’ is ignored
(comments).
When POSIX.1e ACL entries are evaluated, the access check algorithm checks the
ACL entries in the following order: file owner,
“
user
” ACL entries, file owning group,
“
group
” ACL entries, and
“
other
” ACL entry.
Multiple ACL entries specified on the command line are separated by commas.
It is possible for files and directories to inherit ACL entries from their
parent directory. This is accomplished through the use of the default ACL. It
should be noted that before you can specify a default ACL, the mandatory ACL
entries for user, group, other and mask must be set. For more details see the
examples below. Default ACLs can be created by using
-d
.
An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, an
ACL qualifier (only for “
user
” and
“
group
” tags), discretionary access
permissions, ACL inheritance flags, and ACL type:
- ACL tag
- The ACL tag specifies the ACL entry type and consists of one of the
following: “
user
” or
‘u
’ specifying the access granted to
the specified user; “group
” or
‘g
’ specifying the access granted to
the specified group; “owner@
”
specifying the access granted to the owner of the file;
“group@
” specifying the access
granted to the file owning group;
“everyone@
” specifying everyone.
Note that “everyone@
” is not the
same as traditional Unix “other
” -
it means, literally, everyone, including file owner and owning group.
- ACL qualifier
- The ACL qualifier field describes the user or group associated with the
ACL entry. It may consist of one of the following: uid or user name, or
gid or group name. In entries whose tag type is one of
“
owner@
”,
“group@
”, or
“everyone@
”, this field is omitted
altogether, including the trailing comma.
- access permissions
- Access permissions may be specified in either short or long form. Short
and long forms may not be mixed. Permissions in long form are separated by
the ‘
/
’ character; in short form,
they are concatenated together. Valid permissions are:
- Short
- Long
- r
- read_data
- w
- write_data
- x
- execute
- p
- append_data
- D
- delete_child
- d
- delete
- a
- read_attributes
- A
- write_attributes
- R
- read_xattr
- W
- write_xattr
- c
- read_acl
- C
- write_acl
- o
- write_owner
- s
- synchronize
In addition, the following permission sets may be used:
- Set
- Permissions
- full_set
- all permissions, as shown above
- modify_set
- all permissions except write_acl and write_owner
- read_set
- read_data, read_attributes, read_xattr and read_acl
- write_set
- write_data, append_data, write_attributes and write_xattr
- ACL inheritance flags
- Inheritance flags may be specified in either short or long form. Short and
long forms may not be mixed. Access flags in long form are separated by
the ‘
/
’ character; in short form,
they are concatenated together. Valid inheritance flags are:
- Short
- Long
- f
- file_inherit
- d
- dir_inherit
- i
- inherit_only
- n
- no_propagate
- I
- inherited
Other than the "inherited" flag, inheritance flags may be only set
on directories.
- ACL type
- The ACL type field is either “
allow
”
or “deny
”.
ACL entries applied from a file using the
-M
or
-X
options shall be of the following
form: one ACL entry per line, as previously specified; whitespace is ignored;
any text after a ‘
#
’ is ignored
(comments).
NFSv4 ACL entries are evaluated in their visible order.
Multiple ACL entries specified on the command line are separated by commas.
Note that the file owner is always granted the read_acl, write_acl,
read_attributes, and write_attributes permissions, even if the ACL would deny
it.
The
setfacl
utility exits 0 on
success, and >0 if an error occurs.
setfacl -d -m
u::rwx,g::rx,o::rx,mask::rwx dir
setfacl -d -m g:admins:rwx
dir
The first command sets the mandatory elements of the POSIX.1e default ACL. The
second command specifies that users in group admins can have read, write, and
execute permissions for directory named "dir". It should be noted
that any files or directories created underneath "dir" will inherit
these default ACLs upon creation.
setfacl -m u::rwx,g:mail:rw
file
Sets read, write, and execute permissions for the
file owner's POSIX.1e ACL entry and read
and write permissions for group mail on
file.
setfacl -m
owner@:rwxp::allow,g:mail:rwp::allow file
Semantically equal to the example above, but for NFSv4 ACL.
setfacl -M file1 file2
Sets/updates the ACL entries contained in
file1 on
file2.
setfacl -x g:mail:rw
file
Remove the group mail POSIX.1e ACL entry containing read/write permissions from
file.
setfacl -x0 file
Remove the first entry from the NFSv4 ACL from
file.
setfacl -bn file
Remove all “
access
” ACL entries except for
the three required from
file.
getfacl file1 | setfacl -b -n -M -
file2
Copy ACL entries from
file1 to
file2.
getfacl(1),
acl(3),
getextattr(8),
setextattr(8),
acl(9),
extattr(9)
The
setfacl
utility is expected to be IEEE
Std 1003.2c compliant.
Extended Attribute and Access Control List support was developed as part of the
TrustedBSD Project and introduced in
FreeBSD 5.0.
NFSv4 ACL support was introduced in
FreeBSD 8.1.
The
setfacl
utility was written by
Chris D. Faulhaber
<
jedgar@fxp.org>.
NFSv4 ACL support was implemented by
Edward Tomasz
Napierala
<
trasz@FreeBSD.org>.