FreeBSD manual
download PDF document: setfacl.1.pdf
SETFACL(1) FreeBSD General Commands Manual SETFACL(1)
NAME
setfacl - set ACL information
SYNOPSIS
setfacl [-R [-H | -L | -P]] [-bdhkn] [-a position entries] [-m entries]
[-M file] [-x entries | position] [-X file] [file ...]
DESCRIPTION
The setfacl utility sets discretionary access control information on the
specified file(s). If no files are specified, or the list consists of
the only `-', the file names are taken from the standard input.
The following options are available:
-a position entries
Modify the ACL on the specified files by inserting new ACL
entries specified in entries, starting at position position,
counting from zero. This option is only applicable to NFSv4
ACLs.
-b Remove all ACL entries except for the ones synthesized from the
file mode - the three mandatory entries in case of POSIX.1e ACL.
If the POSIX.1e ACL contains a "mask" entry, the permissions of
the "group" entry in the resulting ACL will be set to the
permission associated with both the "group" and "mask" entries of
the current ACL.
-d The operations apply to the default ACL entries instead of access
ACL entries. Currently only directories may have default ACL's.
This option is not applicable to NFSv4 ACLs.
-h If the target of the operation is a symbolic link, perform the
operation on the symbolic link itself, rather than following the
link.
-H If the -R option is specified, symbolic links on the command line
are followed and hence unaffected by the command. (Symbolic
links encountered during tree traversal are not followed.)
-k Delete any default ACL entries on the specified files. It is not
considered an error if the specified files do not have any
default ACL entries. An error will be reported if any of the
specified files cannot have a default entry (i.e., non-
directories). This option is not applicable to NFSv4 ACLs.
-L If the -R option is specified, all symbolic links are followed.
-m entries
Modify the ACL on the specified file. New entries will be added,
and existing entries will be modified according to the entries
argument. For NFSv4 ACLs, it is recommended to use the -a and -x
options instead.
-M file
Modify the ACL entries on the specified files by adding new ACL
entries and modifying existing ACL entries with the ACL entries
specified in the file file. If file is -, the input is taken
-R Perform the action recursively on any specified directories.
When modifying or adding NFSv4 ACL entries, inheritance flags are
applied only to directories.
-x entries | position
If entries is specified, remove the ACL entries specified there
from the access or default ACL of the specified files.
Otherwise, remove entry at index position, counting from zero.
-X file
Remove the ACL entries specified in the file file from the access
or default ACL of the specified files.
The above options are evaluated in the order specified on the command-
line.
POSIX.1e ACL ENTRIES
A POSIX.1E ACL entry contains three colon-separated fields: an ACL tag,
an ACL qualifier, and discretionary access permissions:
ACL tag
The ACL tag specifies the ACL entry type and consists of one of
the following: "user" or `u' specifying the access granted to the
owner of the file or a specified user; "group" or `g' specifying
the access granted to the file owning group or a specified group;
"other" or `o' specifying the access granted to any process that
does not match any user or group ACL entry; "mask" or `m'
specifying the maximum access granted to any ACL entry except the
"user" ACL entry for the file owner and the "other" ACL entry.
ACL qualifier
The ACL qualifier field describes the user or group associated
with the ACL entry. It may consist of one of the following: uid
or user name, gid or group name, or empty. For "user" ACL
entries, an empty field specifies access granted to the file
owner. For "group" ACL entries, an empty field specifies access
granted to the file owning group. "mask" and "other" ACL entries
do not use this field.
access permissions
The access permissions field contains up to one of each of the
following: `r', `w', and `x' to set read, write, and execute
permissions, respectively. Each of these may be excluded or
replaced with a `-' character to indicate no access.
A "mask" ACL entry is required on a file with any ACL entries other than
the default "user", "group", and "other" ACL entries. If the -n option
is not specified and no "mask" ACL entry was specified, the setfacl
utility will apply a "mask" ACL entry consisting of the union of the
permissions associated with all "group" ACL entries in the resulting ACL.
Traditional POSIX interfaces acting on file system object modes have
modified semantics in the presence of POSIX.1e extended ACLs. When a
mask entry is present on the access ACL of an object, the mask entry is
substituted for the group bits; this occurs in programs such as stat(1)
or ls(1). When the mode is modified on an object that has a mask entry,
the changes applied to the group bits will actually be applied to the
mask entry. These semantics provide for greater application
whitespace is ignored; any text after a `#' is ignored (comments).
When POSIX.1e ACL entries are evaluated, the access check algorithm
checks the ACL entries in the following order: file owner, "user" ACL
entries, file owning group, "group" ACL entries, and "other" ACL entry.
Multiple ACL entries specified on the command line are separated by
commas.
It is possible for files and directories to inherit ACL entries from
their parent directory. This is accomplished through the use of the
default ACL. It should be noted that before you can specify a default
ACL, the mandatory ACL entries for user, group, other and mask must be
set. For more details see the examples below. Default ACLs can be
created by using -d.
NFSv4 ACL ENTRIES
An NFSv4 ACL entry contains four or five colon-separated fields: an ACL
tag, an ACL qualifier (only for "user" and "group" tags), discretionary
access permissions, ACL inheritance flags, and ACL type:
ACL tag
The ACL tag specifies the ACL entry type and consists of one of
the following: "user" or `u' specifying the access granted to the
specified user; "group" or `g' specifying the access granted to
the specified group; "owner@" specifying the access granted to
the owner of the file; "group@" specifying the access granted to
the file owning group; "everyone@" specifying everyone. Note
that "everyone@" is not the same as traditional Unix "other" - it
means, literally, everyone, including file owner and owning
group.
ACL qualifier
The ACL qualifier field describes the user or group associated
with the ACL entry. It may consist of one of the following: uid
or user name, or gid or group name. In entries whose tag type is
one of "owner@", "group@", or "everyone@", this field is omitted
altogether, including the trailing colon.
access permissions
Access permissions may be specified in either short or long form.
Short and long forms may not be mixed. Permissions in long form
are separated by the `/' character; in short form, they are
concatenated together. Valid permissions are:
Short Long
r read_data
w write_data
x execute
p append_data
D delete_child
d delete
c read_acl
C write_acl
o write_owner
s synchronize
In addition, the following permission sets may be used:
Set Permissions
full_set all permissions, as shown above
modify_set all permissions except write_acl and write_owner
read_set read_data, read_attributes, read_xattr and read_acl
write_set write_data, append_data, write_attributes and
write_xattr
ACL inheritance flags
Inheritance flags may be specified in either short or long form.
Short and long forms may not be mixed. Access flags in long form
are separated by the `/' character; in short form, they are
concatenated together. Valid inheritance flags are:
Short Long
f file_inherit
d dir_inherit
i inherit_only
n no_propagate
I inherited
Other than the "inherited" flag, inheritance flags may be only
set on directories.
ACL type
The ACL type field is either "allow" or "deny".
ACL entries applied from a file using the -M or -X options shall be of
the following form: one ACL entry per line, as previously specified;
whitespace is ignored; any text after a `#' is ignored (comments).
NFSv4 ACL entries are evaluated in their visible order.
Multiple ACL entries specified on the command line are separated by
commas.
Note that the file owner is always granted the read_acl, write_acl,
read_attributes, and write_attributes permissions, even if the ACL would
deny it.
The first command sets the mandatory elements of the POSIX.1e default
ACL. The second command specifies that users in group admins can have
read, write, and execute permissions for directory named "dir". It
should be noted that any files or directories created underneath "dir"
will inherit these default ACLs upon creation.
setfacl -m u::rwx,g:mail:rw file
Sets read, write, and execute permissions for the file owner's POSIX.1e
ACL entry and read and write permissions for group mail on file.
setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
Semantically equal to the example above, but for NFSv4 ACL.
setfacl -M file1 file2
Sets/updates the ACL entries contained in file1 on file2.
setfacl -x g:mail:rw file
Remove the group mail POSIX.1e ACL entry containing read/write
permissions from file.
setfacl -x0 file
Remove the first entry from the NFSv4 ACL from file.
setfacl -bn file
Remove all "access" ACL entries except for the three required from file.
getfacl file1 | setfacl -b -n -M - file2
Copy ACL entries from file1 to file2.
SEE ALSO
getfacl(1), acl(3), getextattr(8), setextattr(8), acl(9), extattr(9)
STANDARDS
The setfacl utility is expected to be IEEE Std 1003.2c compliant.
HISTORY
Extended Attribute and Access Control List support was developed as part
of the TrustedBSD Project and introduced in FreeBSD 5.0. NFSv4 ACL
support was introduced in FreeBSD 8.1.
AUTHORS
The setfacl utility was written by Chris D. Faulhaber <jedgar@fxp.org>.
NFSv4 ACL support was implemented by Edward Tomasz Napierala
<trasz@FreeBSD.org>.
FreeBSD 14.0-RELEASE-p11 April 29, 2023 FreeBSD 14.0-RELEASE-p11