Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SETFACL(1)		    General Commands Manual		    SETFACL(1)

NAME
       setfacl -- set ACL information

SYNOPSIS
       setfacl [-R [-H | -L | -P]] [-bdhkn] [-a	position entries] [-m entries]
	       [-M file] [-x entries | position] [-X file] [file ...]

DESCRIPTION
       The  setfacl  utility  sets discretionary access	control	information on
       the specified file(s).  If no files are specified, or the list consists
       of the only `-',	the file names are taken from the standard input.

       The following options are available:

       -a position entries
	       Modify the ACL on the specified files by	inserting new ACL  en-
	       tries  specified	 in  entries,  starting	 at position position,
	       counting	from zero.  This option	is only	 applicable  to	 NFSv4
	       ACLs.

       -b      Remove all ACL entries except for the ones synthesized from the
	       file  mode  -  the  three mandatory entries in case of POSIX.1e
	       ACL.  If	the POSIX.1e ACL contains a "mask" entry, the  permis-
	       sions  of the "group" entry in the resulting ACL	will be	set to
	       the permission associated with both the "group" and "mask"  en-
	       tries of	the current ACL.

       -d      The  operations apply to	the default ACL	entries	instead	of ac-
	       cess ACL	entries.  Currently only directories may have  default
	       ACL's.  This option is not applicable to	NFSv4 ACLs.

       -h      If  the target of the operation is a symbolic link, perform the
	       operation on the	symbolic link itself,  rather  than  following
	       the link.

       -H      If  the	-R  option is specified, symbolic links	on the command
	       line are	followed and hence unaffected by the  command.	 (Sym-
	       bolic  links  encountered  during  tree	traversal are not fol-
	       lowed.)

       -k      Delete any default ACL entries on the specified files.	It  is
	       not  considered an error	if the specified files do not have any
	       default ACL entries.  An	error will be reported if any  of  the
	       specified files cannot have a default entry (i.e., non-directo-
	       ries).  This option is not applicable to	NFSv4 ACLs.

       -L      If the -R option	is specified, all symbolic links are followed.

       -m entries
	       Modify  the  ACL	 on  the  specified file.  New entries will be
	       added, and existing entries will	be modified according  to  the
	       entries argument.  For NFSv4 ACLs, it is	recommended to use the
	       -a and -x options instead.

       -M file
	       Modify the ACL entries on the specified files by	adding new ACL
	       entries and modifying existing ACL entries with the ACL entries
	       specified  in  the file file.  If file is -, the	input is taken
	       from stdin.

       -n      Do not recalculate the permissions associated with the ACL mask
	       entry.  This option is not applicable to	NFSv4 ACLs.

       -P      If the -R option	is specified, no symbolic links	are  followed.
	       This is the default.

       -R      Perform	the  action  recursively on any	specified directories.
	       When modifying or adding	NFSv4 ACL entries,  inheritance	 flags
	       are applied only	to directories.

       -x entries | position
	       If entries is specified,	remove the ACL entries specified there
	       from  the access	or default ACL of the specified	files.	Other-
	       wise, remove entry at index position, counting from zero.

       -X file
	       Remove the ACL entries specified	in the file file from the  ac-
	       cess or default ACL of the specified files.

       The  above options are evaluated	in the order specified on the command-
       line.

POSIX.1e ACL ENTRIES
       A POSIX.1E ACL entry contains three colon-separated fields: an ACL tag,
       an ACL qualifier, and discretionary access permissions:

       ACL tag
	       The ACL tag specifies the ACL entry type	and consists of	one of
	       the following: "user" or	`u' specifying the access  granted  to
	       the owner of the	file or	a specified user; "group" or `g' spec-
	       ifying  the access granted to the file owning group or a	speci-
	       fied group; "other" or `o' specifying the access	granted	to any
	       process that does not match any user or group ACL entry;	"mask"
	       or `m' specifying the maximum access granted to any  ACL	 entry
	       except  the "user" ACL entry for	the file owner and the "other"
	       ACL entry.

       ACL qualifier
	       The ACL qualifier field describes the user or group  associated
	       with  the  ACL  entry.  It may consist of one of	the following:
	       uid or user name, gid or	group name, or empty.  For "user"  ACL
	       entries,	 an  empty  field specifies access granted to the file
	       owner.  For "group" ACL entries,	an empty field	specifies  ac-
	       cess  granted to	the file owning	group.	"mask" and "other" ACL
	       entries do not use this field.

       access permissions
	       The access permissions field contains up	to one of each of  the
	       following:  `r',	 `w',  and `x' to set read, write, and execute
	       permissions, respectively.  Each	of these may  be  excluded  or
	       replaced	with a `-' character to	indicate no access.

       A  "mask"  ACL  entry  is required on a file with any ACL entries other
       than the	default	"user",	"group", and "other" ACL entries.  If  the  -n
       option  is  not	specified  and	no "mask" ACL entry was	specified, the
       setfacl utility will apply a "mask" ACL entry consisting	of  the	 union
       of  the	permissions associated with all	"group"	ACL entries in the re-
       sulting ACL.

       Traditional POSIX interfaces acting on file system  object  modes  have
       modified	 semantics  in the presence of POSIX.1e	extended ACLs.	When a
       mask entry is present on	the access ACL of an object, the mask entry is
       substituted for the group bits; this occurs in programs such as stat(1)
       or ls(1).  When the mode	is modified on an object that has a  mask  en-
       try,  the changes applied to the	group bits will	actually be applied to
       the mask	entry.	These semantics	provide	for greater  application  com-
       patibility: applications	modifying the mode instead of the ACL will see
       conservative  behavior, limiting	the effective rights granted by	all of
       the additional user and group entries; this occurs in programs such  as
       chmod(1).

       ACL  entries applied from a file	using the -M or	-X options shall be of
       the following form: one ACL entry per line,  as	previously  specified;
       whitespace is ignored; any text after a `#' is ignored (comments).

       When  POSIX.1e  ACL  entries  are evaluated, the	access check algorithm
       checks the ACL entries in the following order: file owner,  "user"  ACL
       entries,	file owning group, "group" ACL entries,	and "other" ACL	entry.

       Multiple	 ACL  entries  specified  on the command line are separated by
       commas.

       It is possible for files	and directories	to inherit  ACL	 entries  from
       their  parent  directory.   This	is accomplished	through	the use	of the
       default ACL.  It	should be noted	that before you	can specify a  default
       ACL,  the mandatory ACL entries for user, group,	other and mask must be
       set.  For more details see the examples below.	Default	 ACLs  can  be
       created by using	-d.

NFSv4 ACL ENTRIES
       An NFSv4	ACL entry contains four	or five	colon-separated	fields:	an ACL
       tag, an ACL qualifier (only for "user" and "group" tags), discretionary
       access permissions, ACL inheritance flags, and ACL type:

       ACL tag
	       The ACL tag specifies the ACL entry type	and consists of	one of
	       the  following:	"user" or `u' specifying the access granted to
	       the specified  user;  "group"  or  `g'  specifying  the	access
	       granted	to the specified group;	"owner@" specifying the	access
	       granted to the owner of the file; "group@" specifying  the  ac-
	       cess  granted  to the file owning group;	"everyone@" specifying
	       everyone.  Note that "everyone@"	is not the same	as traditional
	       Unix "other" - it means,	literally,  everyone,  including  file
	       owner and owning	group.

       ACL qualifier
	       The  ACL	qualifier field	describes the user or group associated
	       with the	ACL entry.  It may consist of one  of  the  following:
	       uid  or	user name, or gid or group name.  In entries whose tag
	       type is one of "owner@",	"group@", or "everyone@",  this	 field
	       is omitted altogether, including	the trailing colon.

       access permissions
	       Access  permissions  may	 be  specified in either short or long
	       form.  Short and	long forms may not be mixed.   Permissions  in
	       long  form  are	separated by the `/' character;	in short form,
	       they are	concatenated together.	Valid permissions are:

	       Short	   Long

	       r	   read_data

	       w	   write_data

	       x	   execute

	       p	   append_data

	       D	   delete_child

	       d	   delete

	       a	   read_attributes

	       A	   write_attributes

	       R	   read_xattr

	       W	   write_xattr

	       c	   read_acl

	       C	   write_acl

	       o	   write_owner

	       s	   synchronize

	       In addition, the	following permission sets may be used:

	       Set	   Permissions

	       full_set	   all permissions, as shown above

	       modify_set  all permissions except write_acl and	write_owner

	       read_set	   read_data, read_attributes, read_xattr and read_acl

	       write_set   write_data,	 append_data,	write_attributes   and
			   write_xattr

       ACL inheritance flags
	       Inheritance  flags  may	be  specified  in either short or long
	       form.  Short and	long forms may not be mixed.  Access flags  in
	       long  form  are	separated by the `/' character;	in short form,
	       they are	concatenated together.	Valid inheritance flags	are:

	       Short  Long

	       f      file_inherit

	       d      dir_inherit

	       i      inherit_only

	       n      no_propagate

	       I      inherited

	       Other than the "inherited" flag,	inheritance flags may be  only
	       set on directories.

       ACL type
	       The ACL type field is either "allow" or "deny".

       ACL  entries applied from a file	using the -M or	-X options shall be of
       the following form: one ACL entry per line,  as	previously  specified;
       whitespace is ignored; any text after a `#' is ignored (comments).

       NFSv4 ACL entries are evaluated in their	visible	order.

       Multiple	 ACL  entries  specified  on the command line are separated by
       commas.

       Note that the file owner	is always  granted  the	 read_acl,  write_acl,
       read_attributes,	 and  write_attributes	permissions,  even  if the ACL
       would deny it.

EXIT STATUS
       The setfacl utility exits 0 on success, and >0 if an error occurs.

EXAMPLES
	     setfacl -d	-m u::rwx,g::rx,o::rx,mask::rwx	dir
	     setfacl -d	-m g:admins:rwx	dir

       The first command sets the mandatory elements of	the  POSIX.1e  default
       ACL.   The second command specifies that	users in group admins can have
       read, write, and	execute	permissions for	 directory  named  "dir".   It
       should  be noted	that any files or directories created underneath "dir"
       will inherit these default ACLs upon creation.

	     setfacl -m	u::rwx,g:mail:rw file

       Sets read, write, and execute permissions for the file owner's POSIX.1e
       ACL entry and read and write permissions	for group mail on file.

	     setfacl -m	owner@:rwxp::allow,g:mail:rwp::allow file

       Semantically equal to the example above,	but for	NFSv4 ACL.

	     setfacl -M	file1 file2

       Sets/updates the	ACL entries contained in file1 on file2.

	     setfacl -x	g:mail:rw file

       Remove the group	mail POSIX.1e ACL entry	containing read/write  permis-
       sions from file.

	     setfacl -x0 file

       Remove the first	entry from the NFSv4 ACL from file.

	     setfacl -bn file

       Remove  all  "access"  ACL  entries  except for the three required from
       file.

	     getfacl file1 | setfacl -b	-n -M -	file2

       Copy ACL	entries	from file1 to file2.

SEE ALSO
       getfacl(1), acl(3), getextattr(8), setextattr(8), acl(9), extattr(9)

STANDARDS
       The setfacl utility is expected to be IEEE Std 1003.2c compliant.

HISTORY
       Extended	Attribute and Access Control List  support  was	 developed  as
       part  of	 the  TrustedBSD Project and introduced	in FreeBSD 5.0.	 NFSv4
       ACL support was introduced in FreeBSD 8.1.

AUTHORS
       The setfacl utility was written by Chris	D. Faulhaber <jedgar@fxp.org>.
       NFSv4  ACL  support  was	 implemented  by   Edward   Tomasz   Napierala
       <trasz@FreeBSD.org>.

FreeBSD	13.2			April 29, 2023			    SETFACL(1)

NAME | SYNOPSIS | DESCRIPTION | POSIX.1e ACL ENTRIES | NFSv4 ACL ENTRIES | EXIT STATUS | EXAMPLES | SEE ALSO | STANDARDS | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1&manpath=FreeBSD+14.1-RELEASE+and+Ports>

home | help