Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SETFACL(1)		    General Commands Manual		    SETFACL(1)

NAME
       setfacl -- set ACL information

SYNOPSIS
       setfacl	[-bdhkn]  [-m  entries]	 [-M  file]  [-x  entries]  [-X	 file]
	       [file ...]

DESCRIPTION
       The setfacl utility sets	discretionary access  control  information  on
       the specified file(s).

       The following options are available:

       -b      Remove  all  ACL	entries	except for the three required entries.
	       If the ACL contains a "mask"  entry,  the  permissions  of  the
	       "group"	entry  in the resulting	ACL will be set	to the permis-
	       sion associated with both the "group" and "mask"	entries	of the
	       current ACL.

       -d      The operations apply to the default ACL entries instead of  ac-
	       cess  ACL entries.  Currently only directories may have default
	       ACL's.

       -h      If the target of	the operation is a symbolic link, perform  the
	       operation  on  the  symbolic link itself, rather	than following
	       the link.

       -k      Delete any default ACL entries on the specified files.	It  is
	       not  considered an error	if the specified files do not have any
	       default ACL entries.  An	error will be reported if any  of  the
	       specified  files	cannot have a default entry (i.e. non-directo-
	       ries).

       -m entries
	       Modify the ACL entries on the specified files by	adding new en-
	       tries and modifying existing ACL	entries	with the  ACL  entries
	       specified in entries.

       -M file
	       Modify the ACL entries on the specified files by	adding new ACL
	       entries and modifying existing ACL entries with the ACL entries
	       specified  in  the file file.  If file is -, the	input is taken
	       from stdin.

       -n      Do not recalculate the permissions associated with the ACL mask
	       entry.

       -x entries
	       Remove the ACL entries specified	in entries from	the access  or
	       default ACL of the specified files.

       -X file
	       Remove  the ACL entries specified in the	file file from the ac-
	       cess or default ACL of the specified files.

       The above options are evaluated in the order specified on the  command-
       line.

ACL ENTRIES
       An  ACL entry contains three colon-separated fields: an ACL tag,	an ACL
       qualifier, and discretionary access permissions:

       ACL tag
	       The ACL tag specifies the ACL entry type	and consists of	one of
	       the following: "user" or	`u' specifying the access  granted  to
	       the owner of the	file or	a specified user; "group" or `g' spec-
	       ifying  the access granted to the file owning group or a	speci-
	       fied group; "other" or `o' specifying the access	granted	to any
	       process that does not match any user or group ACL entry;	"mask"
	       or `m' specifying the maximum access granted to any  ACL	 entry
	       except  the "user" ACL entry for	the file owner and the "other"
	       ACL entry.

       ACL qualifier
	       The ACL qualifier field describes the user or group  associated
	       with  the  ACL  entry.  It may consist of one of	the following:
	       uid or user name, gid or	group name, or empty.  For "user"  ACL
	       entries,	 an  empty  field specifies access granted to the file
	       owner.  For "group" ACL entries,	an empty field	specifies  ac-
	       cess  granted to	the file owning	group.	"mask" and "other" ACL
	       entries do not use this field.

       access permissions
	       The access permissions field contains up	to one of each of  the
	       following:  `r',	 `w',  and `x' to set read, write, and execute
	       permissions, respectively.  Each	of these may  be  excluded  or
	       replaced	with a `-' character to	indicate no access.

       A  "mask"  ACL  entry  is required on a file with any ACL entries other
       than the	default	"user",	"group", and "other" ACL entries.  If  the  -n
       option  is  not	specified  and	no "mask" ACL entry was	specified, the
       setfacl utility will apply a "mask" ACL entry consisting	of  the	 union
       of  the	permissions associated with all	"group"	ACL entries in the re-
       sulting ACL.

       Traditional POSIX interfaces acting on file system  object  modes  have
       modified	 semantics  in the presence of POSIX.1e	extended ACLs.	When a
       mask entry is present on	the access ACL of an object, the mask entry is
       substituted for the group bits; this occurs in programs such as stat(1)
       or ls(1).  When the mode	is modified on an object that has a  mask  en-
       try,  the changes applied to the	group bits will	actually be applied to
       the mask	entry.	These semantics	provide	for greater  application  com-
       patibility: applications	modifying the mode instead of the ACL will see
       conservative  behavior, limiting	the effective rights granted by	all of
       the additional user and group entries; this occurs in programs such  as
       chmod(1).

       ACL  entries applied from a file	using the -M or	-X options shall be of
       the following form: one ACL entry per line,  as	previously  specified;
       whitespace is ignored; any text after a `#' is ignored (comments).

       When  ACL  entries are evaluated, the access check algorithm checks the
       ACL entries in the following order: file	 owner,	 "user"	 ACL  entries,
       file owning group, "group" ACL entries, and "other" ACL entry.

       Multiple	 ACL  entries  specified  on the command line are separated by
       commas.

EXIT STATUS
       The setfacl utility exits 0 on success, and >0 if an error occurs.

EXAMPLES
	     setfacl -m	u::rwx,g:mail:rw file

       Sets read, write, and execute permissions for the file owner's ACL  en-
       try and read and	write permissions for group mail on file.

	     setfacl -M	file1 file2

       Sets/updates the	ACL entries contained in file1 on file2.

	     setfacl -x	g:mail:rw file

       Remove  the group mail ACL entry	containing read/write permissions from
       file.

	     setfacl -bn file

       Remove all "access" ACL entries except  for  the	 three	required  from
       file.

	     getfacl file1 | setfacl -b	-n -M -	file2

       Copy ACL	entries	from file1 to file2.

SEE ALSO
       getfacl(1), acl(3), getextattr(8), setextattr(8), acl(9), extattr(9)

STANDARDS
       The setfacl utility is expected to be IEEE Std 1003.2c compliant.

HISTORY
       Extended	 Attribute  and	 Access	 Control List support was developed as
       part of the TrustedBSD Project and introduced in	FreeBSD	5.0.

AUTHORS
       The setfacl utility was written by Chris	D. Faulhaber <jedgar@fxp.org>.

FreeBSD	6.1			January	7, 2001			    SETFACL(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1&manpath=FreeBSD+6.1-RELEASE>

home | help