1.\"- 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" Copyright (c) 2011 Edward Tomasz Napierała 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd April 29, 2023 30.Dt SETFACL 1 31.Os 32.Sh NAME 33.Nm setfacl 34.Nd set ACL information 35.Sh SYNOPSIS 36.Nm 37.Op Fl R Op Fl H | L | P 38.Op Fl bdhkn 39.Op Fl a Ar position entries 40.Op Fl m Ar entries 41.Op Fl M Ar file 42.Op Fl x Ar entries | position 43.Op Fl X Ar file 44.Op Ar 45.Sh DESCRIPTION 46The 47.Nm 48utility sets discretionary access control information on 49the specified file(s). 50If no files are specified, or the list consists of the only 51.Sq Fl , 52the file names are taken from the standard input. 53.Pp 54The following options are available: 55.Bl -tag -width indent 56.It Fl a Ar position entries 57Modify the ACL on the specified files by inserting new 58ACL entries 59specified in 60.Ar entries , 61starting at position 62.Ar position , 63counting from zero. 64This option is only applicable to NFSv4 ACLs. 65.It Fl b 66Remove all ACL entries except for the ones synthesized 67from the file mode - the three mandatory entries in case 68of POSIX.1e ACL. 69If the POSIX.1e ACL contains a 70.Dq Li mask 71entry, the permissions of the 72.Dq Li group 73entry in the resulting ACL will be set to the permission 74associated with both the 75.Dq Li group 76and 77.Dq Li mask 78entries of the current ACL. 79.It Fl d 80The operations apply to the default ACL entries instead of 81access ACL entries. 82Currently only directories may have 83default ACL's. 84This option is not applicable to NFSv4 ACLs. 85.It Fl h 86If the target of the operation is a symbolic link, perform the operation 87on the symbolic link itself, rather than following the link. 88.It Fl H 89If the 90.Fl R 91option is specified, symbolic links on the command line are followed 92and hence unaffected by the command. 93(Symbolic links encountered during tree traversal are not followed.) 94.It Fl k 95Delete any default ACL entries on the specified files. 96It 97is not considered an error if the specified files do not have 98any default ACL entries. 99An error will be reported if any of 100the specified files cannot have a default entry (i.e., 101non-directories). 102This option is not applicable to NFSv4 ACLs. 103.It Fl L 104If the 105.Fl R 106option is specified, all symbolic links are followed. 107.It Fl m Ar entries 108Modify the ACL on the specified file. 109New entries will be added, and existing entries will be modified 110according to the 111.Ar entries 112argument. 113For NFSv4 ACLs, it is recommended to use the 114.Fl a 115and 116.Fl x 117options instead. 118.It Fl M Ar file 119Modify the ACL entries on the specified files by adding new 120ACL entries and modifying existing ACL entries with the ACL 121entries specified in the file 122.Ar file . 123If 124.Ar file 125is 126.Fl , 127the input is taken from stdin. 128.It Fl n 129Do not recalculate the permissions associated with the ACL 130mask entry. 131This option is not applicable to NFSv4 ACLs. 132.It Fl P 133If the 134.Fl R 135option is specified, no symbolic links are followed. 136This is the default. 137.It Fl R 138Perform the action recursively on any specified directories. 139When modifying or adding NFSv4 ACL entries, inheritance flags 140are applied only to directories. 141.It Fl x Ar entries | position 142If 143.Ar entries 144is specified, remove the ACL entries specified there 145from the access or default ACL of the specified files. 146Otherwise, remove entry at index 147.Ar position , 148counting from zero. 149.It Fl X Ar file 150Remove the ACL entries specified in the file 151.Ar file 152from the access or default ACL of the specified files. 153.El 154.Pp 155The above options are evaluated in the order specified 156on the command-line. 157.Sh POSIX.1e ACL ENTRIES 158A POSIX.1E ACL entry contains three colon-separated fields: 159an ACL tag, an ACL qualifier, and discretionary access 160permissions: 161.Bl -tag -width indent 162.It Ar "ACL tag" 163The ACL tag specifies the ACL entry type and consists of 164one of the following: 165.Dq Li user 166or 167.Ql u 168specifying the access 169granted to the owner of the file or a specified user; 170.Dq Li group 171or 172.Ql g 173specifying the access granted to the file owning group 174or a specified group; 175.Dq Li other 176or 177.Ql o 178specifying the access 179granted to any process that does not match any user or group 180ACL entry; 181.Dq Li mask 182or 183.Ql m 184specifying the maximum access 185granted to any ACL entry except the 186.Dq Li user 187ACL entry for the file owner and the 188.Dq Li other 189ACL entry. 190.It Ar "ACL qualifier" 191The ACL qualifier field describes the user or group associated with 192the ACL entry. 193It may consist of one of the following: uid or 194user name, gid or group name, or empty. 195For 196.Dq Li user 197ACL entries, an empty field specifies access granted to the 198file owner. 199For 200.Dq Li group 201ACL entries, an empty field specifies access granted to the 202file owning group. 203.Dq Li mask 204and 205.Dq Li other 206ACL entries do not use this field. 207.It Ar "access permissions" 208The access permissions field contains up to one of each of 209the following: 210.Ql r , 211.Ql w , 212and 213.Ql x 214to set read, write, and 215execute permissions, respectively. 216Each of these may be excluded 217or replaced with a 218.Ql - 219character to indicate no access. 220.El 221.Pp 222A 223.Dq Li mask 224ACL entry is required on a file with any ACL entries other than 225the default 226.Dq Li user , 227.Dq Li group , 228and 229.Dq Li other 230ACL entries. 231If the 232.Fl n 233option is not specified and no 234.Dq Li mask 235ACL entry was specified, the 236.Nm 237utility 238will apply a 239.Dq Li mask 240ACL entry consisting of the union of the permissions associated 241with all 242.Dq Li group 243ACL entries in the resulting ACL. 244.Pp 245Traditional POSIX interfaces acting on file system object modes have 246modified semantics in the presence of POSIX.1e extended ACLs. 247When a mask entry is present on the access ACL of an object, the mask 248entry is substituted for the group bits; this occurs in programs such 249as 250.Xr stat 1 251or 252.Xr ls 1 . 253When the mode is modified on an object that has a mask entry, the 254changes applied to the group bits will actually be applied to the 255mask entry. 256These semantics provide for greater application compatibility: 257applications modifying the mode instead of the ACL will see 258conservative behavior, limiting the effective rights granted by all 259of the additional user and group entries; this occurs in programs 260such as 261.Xr chmod 1 . 262.Pp 263ACL entries applied from a file using the 264.Fl M 265or 266.Fl X 267options shall be of the following form: one ACL entry per line, as 268previously specified; whitespace is ignored; any text after a 269.Ql # 270is ignored (comments). 271.Pp 272When POSIX.1e ACL entries are evaluated, the access check algorithm checks 273the ACL entries in the following order: file owner, 274.Dq Li user 275ACL entries, file owning group, 276.Dq Li group 277ACL entries, and 278.Dq Li other 279ACL entry. 280.Pp 281Multiple ACL entries specified on the command line are 282separated by commas. 283.Pp 284It is possible for files and directories to inherit ACL entries from their 285parent directory. 286This is accomplished through the use of the default ACL. 287It should be noted that before you can specify a default ACL, the mandatory 288ACL entries for user, group, other and mask must be set. 289For more details see the examples below. 290Default ACLs can be created by using 291.Fl d . 292.Sh NFSv4 ACL ENTRIES 293An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, 294an ACL qualifier (only for 295.Dq Li user 296and 297.Dq Li group 298tags), discretionary access permissions, ACL inheritance flags, and ACL type: 299.Bl -tag -width indent 300.It Ar "ACL tag" 301The ACL tag specifies the ACL entry type and consists of 302one of the following: 303.Dq Li user 304or 305.Ql u 306specifying the access 307granted to the specified user; 308.Dq Li group 309or 310.Ql g 311specifying the access granted to the specified group; 312.Dq Li owner@ 313specifying the access granted to the owner of the file; 314.Dq Li group@ 315specifying the access granted to the file owning group; 316.Dq Li everyone@ 317specifying everyone. 318Note that 319.Dq Li everyone@ 320is not the same as traditional Unix 321.Dq Li other 322- it means, 323literally, everyone, including file owner and owning group. 324.It Ar "ACL qualifier" 325The ACL qualifier field describes the user or group associated with 326the ACL entry. 327It may consist of one of the following: uid or 328user name, or gid or group name. 329In entries whose tag type is one of 330.Dq Li owner@ , 331.Dq Li group@ , 332or 333.Dq Li everyone@ , 334this field is omitted altogether, including the trailing colon. 335.It Ar "access permissions" 336Access permissions may be specified in either short or long form. 337Short and long forms may not be mixed. 338Permissions in long form are separated by the 339.Ql / 340character; in short form, they are concatenated together. 341Valid permissions are: 342.Bl -tag -width ".Dv modify_set" 343.It Short 344Long 345.It r 346read_data 347.It w 348write_data 349.It x 350execute 351.It p 352append_data 353.It D 354delete_child 355.It d 356delete 357.It a 358read_attributes 359.It A 360write_attributes 361.It R 362read_xattr 363.It W 364write_xattr 365.It c 366read_acl 367.It C 368write_acl 369.It o 370write_owner 371.It s 372synchronize 373.El 374.Pp 375In addition, the following permission sets may be used: 376.Bl -tag -width ".Dv modify_set" 377.It Set 378Permissions 379.It full_set 380all permissions, as shown above 381.It modify_set 382all permissions except write_acl and write_owner 383.It read_set 384read_data, read_attributes, read_xattr and read_acl 385.It write_set 386write_data, append_data, write_attributes and write_xattr 387.El 388.It Ar "ACL inheritance flags" 389Inheritance flags may be specified in either short or long form. 390Short and long forms may not be mixed. 391Access flags in long form are separated by the 392.Ql / 393character; in short form, they are concatenated together. 394Valid inheritance flags are: 395.Bl -tag -width ".Dv short" 396.It Short 397Long 398.It f 399file_inherit 400.It d 401dir_inherit 402.It i 403inherit_only 404.It n 405no_propagate 406.It I 407inherited 408.El 409.Pp 410Other than the "inherited" flag, inheritance flags may be only set on directories. 411.It Ar "ACL type" 412The ACL type field is either 413.Dq Li allow 414or 415.Dq Li deny . 416.El 417.Pp 418ACL entries applied from a file using the 419.Fl M 420or 421.Fl X 422options shall be of the following form: one ACL entry per line, as 423previously specified; whitespace is ignored; any text after a 424.Ql # 425is ignored (comments). 426.Pp 427NFSv4 ACL entries are evaluated in their visible order. 428.Pp 429Multiple ACL entries specified on the command line are 430separated by commas. 431.Pp 432Note that the file owner is always granted the read_acl, write_acl, 433read_attributes, and write_attributes permissions, even if the ACL 434would deny it. 435.Sh EXIT STATUS 436.Ex -std 437.Sh EXAMPLES 438.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir 439.Dl setfacl -d -m g:admins:rwx dir 440.Pp 441The first command sets the mandatory elements of the POSIX.1e default ACL. 442The second command specifies that users in group admins can have read, write, and execute 443permissions for directory named "dir". 444It should be noted that any files or directories created underneath "dir" will 445inherit these default ACLs upon creation. 446.Pp 447.Dl setfacl -m u::rwx,g:mail:rw file 448.Pp 449Sets read, write, and execute permissions for the 450.Pa file 451owner's POSIX.1e ACL entry and read and write permissions for group mail on 452.Pa file . 453.Pp 454.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file 455.Pp 456Semantically equal to the example above, but for NFSv4 ACL. 457.Pp 458.Dl setfacl -M file1 file2 459.Pp 460Sets/updates the ACL entries contained in 461.Pa file1 462on 463.Pa file2 . 464.Pp 465.Dl setfacl -x g:mail:rw file 466.Pp 467Remove the group mail POSIX.1e ACL entry containing read/write permissions 468from 469.Pa file . 470.Pp 471.Dl setfacl -x0 file 472.Pp 473Remove the first entry from the NFSv4 ACL from 474.Pa file . 475.Pp 476.Dl setfacl -bn file 477.Pp 478Remove all 479.Dq Li access 480ACL entries except for the three required from 481.Pa file . 482.Pp 483.Dl getfacl file1 | setfacl -b -n -M - file2 484.Pp 485Copy ACL entries from 486.Pa file1 487to 488.Pa file2 . 489.Sh SEE ALSO 490.Xr getfacl 1 , 491.Xr acl 3 , 492.Xr getextattr 8 , 493.Xr setextattr 8 , 494.Xr acl 9 , 495.Xr extattr 9 496.Sh STANDARDS 497The 498.Nm 499utility is expected to be 500.Tn IEEE 501Std 1003.2c compliant. 502.Sh HISTORY 503Extended Attribute and Access Control List support was developed 504as part of the 505.Tn TrustedBSD 506Project and introduced in 507.Fx 5.0 . 508NFSv4 ACL support was introduced in 509.Fx 8.1 . 510.Sh AUTHORS 511.An -nosplit 512The 513.Nm 514utility was written by 515.An Chris D. Faulhaber Aq Mt jedgar@fxp.org . 516NFSv4 ACL support was implemented by 517.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org . 518