1.\"- 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" Copyright (c) 2011 Edward Tomasz Napierała 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd April 10, 2018 30.Dt SETFACL 1 31.Os 32.Sh NAME 33.Nm setfacl 34.Nd set ACL information 35.Sh SYNOPSIS 36.Nm 37.Op Fl R Op Fl H | L | P 38.Op Fl bdhkn 39.Op Fl a Ar position entries 40.Op Fl m Ar entries 41.Op Fl M Ar file 42.Op Fl x Ar entries | position 43.Op Fl X Ar file 44.Op Ar 45.Sh DESCRIPTION 46The 47.Nm 48utility sets discretionary access control information on 49the specified file(s). 50If no files are specified, or the list consists of the only 51.Sq Fl , 52the file names are taken from the standard input. 53.Pp 54The following options are available: 55.Bl -tag -width indent 56.It Fl a Ar position entries 57Modify the ACL on the specified files by inserting new 58ACL entries 59specified in 60.Ar entries , 61starting at position 62.Ar position , 63counting from zero. 64This option is only applicable to NFSv4 ACLs. 65.It Fl b 66Remove all ACL entries except for the ones synthesized 67from the file mode - the three mandatory entries in case 68of POSIX.1e ACL. 69If the POSIX.1e ACL contains a 70.Dq Li mask 71entry, the permissions of the 72.Dq Li group 73entry in the resulting ACL will be set to the permission 74associated with both the 75.Dq Li group 76and 77.Dq Li mask 78entries of the current ACL. 79.It Fl d 80The operations apply to the default ACL entries instead of 81access ACL entries. 82Currently only directories may have 83default ACL's. This option is not applicable to NFSv4 ACLs. 84.It Fl h 85If the target of the operation is a symbolic link, perform the operation 86on the symbolic link itself, rather than following the link. 87.It Fl H 88If the 89.Fl R 90option is specified, symbolic links on the command line are followed 91and hence unaffected by the command. 92(Symbolic links encountered during tree traversal are not followed.) 93.It Fl k 94Delete any default ACL entries on the specified files. 95It 96is not considered an error if the specified files do not have 97any default ACL entries. 98An error will be reported if any of 99the specified files cannot have a default entry (i.e.\& 100non-directories). This option is not applicable to NFSv4 ACLs. 101.It Fl L 102If the 103.Fl R 104option is specified, all symbolic links are followed. 105.It Fl m Ar entries 106Modify the ACL on the specified file. 107New entries will be added, and existing entries will be modified 108according to the 109.Ar entries 110argument. 111For NFSv4 ACLs, it is recommended to use the 112.Fl a 113and 114.Fl x 115options instead. 116.It Fl M Ar file 117Modify the ACL entries on the specified files by adding new 118ACL entries and modifying existing ACL entries with the ACL 119entries specified in the file 120.Ar file . 121If 122.Ar file 123is 124.Fl , 125the input is taken from stdin. 126.It Fl n 127Do not recalculate the permissions associated with the ACL 128mask entry. 129This option is not applicable to NFSv4 ACLs. 130.It Fl P 131If the 132.Fl R 133option is specified, no symbolic links are followed. 134This is the default. 135.It Fl R 136Perform the action recursively on any specified directories. 137.It Fl x Ar entries | position 138If 139.Ar entries 140is specified, remove the ACL entries specified there 141from the access or default ACL of the specified files. 142Otherwise, remove entry at index 143.Ar position , 144counting from zero. 145.It Fl X Ar file 146Remove the ACL entries specified in the file 147.Ar file 148from the access or default ACL of the specified files. 149.El 150.Pp 151The above options are evaluated in the order specified 152on the command-line. 153.Sh POSIX.1e ACL ENTRIES 154A POSIX.1E ACL entry contains three colon-separated fields: 155an ACL tag, an ACL qualifier, and discretionary access 156permissions: 157.Bl -tag -width indent 158.It Ar "ACL tag" 159The ACL tag specifies the ACL entry type and consists of 160one of the following: 161.Dq Li user 162or 163.Ql u 164specifying the access 165granted to the owner of the file or a specified user; 166.Dq Li group 167or 168.Ql g 169specifying the access granted to the file owning group 170or a specified group; 171.Dq Li other 172or 173.Ql o 174specifying the access 175granted to any process that does not match any user or group 176ACL entry; 177.Dq Li mask 178or 179.Ql m 180specifying the maximum access 181granted to any ACL entry except the 182.Dq Li user 183ACL entry for the file owner and the 184.Dq Li other 185ACL entry. 186.It Ar "ACL qualifier" 187The ACL qualifier field describes the user or group associated with 188the ACL entry. 189It may consist of one of the following: uid or 190user name, gid or group name, or empty. 191For 192.Dq Li user 193ACL entries, an empty field specifies access granted to the 194file owner. 195For 196.Dq Li group 197ACL entries, an empty field specifies access granted to the 198file owning group. 199.Dq Li mask 200and 201.Dq Li other 202ACL entries do not use this field. 203.It Ar "access permissions" 204The access permissions field contains up to one of each of 205the following: 206.Ql r , 207.Ql w , 208and 209.Ql x 210to set read, write, and 211execute permissions, respectively. 212Each of these may be excluded 213or replaced with a 214.Ql - 215character to indicate no access. 216.El 217.Pp 218A 219.Dq Li mask 220ACL entry is required on a file with any ACL entries other than 221the default 222.Dq Li user , 223.Dq Li group , 224and 225.Dq Li other 226ACL entries. 227If the 228.Fl n 229option is not specified and no 230.Dq Li mask 231ACL entry was specified, the 232.Nm 233utility 234will apply a 235.Dq Li mask 236ACL entry consisting of the union of the permissions associated 237with all 238.Dq Li group 239ACL entries in the resulting ACL. 240.Pp 241Traditional POSIX interfaces acting on file system object modes have 242modified semantics in the presence of POSIX.1e extended ACLs. 243When a mask entry is present on the access ACL of an object, the mask 244entry is substituted for the group bits; this occurs in programs such 245as 246.Xr stat 1 247or 248.Xr ls 1 . 249When the mode is modified on an object that has a mask entry, the 250changes applied to the group bits will actually be applied to the 251mask entry. 252These semantics provide for greater application compatibility: 253applications modifying the mode instead of the ACL will see 254conservative behavior, limiting the effective rights granted by all 255of the additional user and group entries; this occurs in programs 256such as 257.Xr chmod 1 . 258.Pp 259ACL entries applied from a file using the 260.Fl M 261or 262.Fl X 263options shall be of the following form: one ACL entry per line, as 264previously specified; whitespace is ignored; any text after a 265.Ql # 266is ignored (comments). 267.Pp 268When POSIX.1e ACL entries are evaluated, the access check algorithm checks 269the ACL entries in the following order: file owner, 270.Dq Li user 271ACL entries, file owning group, 272.Dq Li group 273ACL entries, and 274.Dq Li other 275ACL entry. 276.Pp 277Multiple ACL entries specified on the command line are 278separated by commas. 279.Pp 280It is possible for files and directories to inherit ACL entries from their 281parent directory. 282This is accomplished through the use of the default ACL. 283It should be noted that before you can specify a default ACL, the mandatory 284ACL entries for user, group, other and mask must be set. 285For more details see the examples below. 286Default ACLs can be created by using 287.Fl d . 288.Sh NFSv4 ACL ENTRIES 289An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, 290an ACL qualifier (only for 291.Dq Li user 292and 293.Dq Li group 294tags), discretionary access permissions, ACL inheritance flags, and ACL type: 295.Bl -tag -width indent 296.It Ar "ACL tag" 297The ACL tag specifies the ACL entry type and consists of 298one of the following: 299.Dq Li user 300or 301.Ql u 302specifying the access 303granted to the specified user; 304.Dq Li group 305or 306.Ql g 307specifying the access granted to the specified group; 308.Dq Li owner@ 309specifying the access granted to the owner of the file; 310.Dq Li group@ 311specifying the access granted to the file owning group; 312.Dq Li everyone@ 313specifying everyone. 314Note that 315.Dq Li everyone@ 316is not the same as traditional Unix 317.Dq Li other 318- it means, 319literally, everyone, including file owner and owning group. 320.It Ar "ACL qualifier" 321The ACL qualifier field describes the user or group associated with 322the ACL entry. 323It may consist of one of the following: uid or 324user name, or gid or group name. 325In entries whose tag type is one of 326.Dq Li owner@ , 327.Dq Li group@ , 328or 329.Dq Li everyone@ , 330this field is omitted altogether, including the trailing comma. 331.It Ar "access permissions" 332Access permissions may be specified in either short or long form. 333Short and long forms may not be mixed. 334Permissions in long form are separated by the 335.Ql / 336character; in short form, they are concatenated together. 337Valid permissions are: 338.Bl -tag -width ".Dv modify_set" 339.It Short 340Long 341.It r 342read_data 343.It w 344write_data 345.It x 346execute 347.It p 348append_data 349.It D 350delete_child 351.It d 352delete 353.It a 354read_attributes 355.It A 356write_attributes 357.It R 358read_xattr 359.It W 360write_xattr 361.It c 362read_acl 363.It C 364write_acl 365.It o 366write_owner 367.It s 368synchronize 369.El 370.Pp 371In addition, the following permission sets may be used: 372.Bl -tag -width ".Dv modify_set" 373.It Set 374Permissions 375.It full_set 376all permissions, as shown above 377.It modify_set 378all permissions except write_acl and write_owner 379.It read_set 380read_data, read_attributes, read_xattr and read_acl 381.It write_set 382write_data, append_data, write_attributes and write_xattr 383.El 384.It Ar "ACL inheritance flags" 385Inheritance flags may be specified in either short or long form. 386Short and long forms may not be mixed. 387Access flags in long form are separated by the 388.Ql / 389character; in short form, they are concatenated together. 390Valid inheritance flags are: 391.Bl -tag -width ".Dv short" 392.It Short 393Long 394.It f 395file_inherit 396.It d 397dir_inherit 398.It i 399inherit_only 400.It n 401no_propagate 402.It I 403inherited 404.El 405.Pp 406Other than the "inherited" flag, inheritance flags may be only set on directories. 407.It Ar "ACL type" 408The ACL type field is either 409.Dq Li allow 410or 411.Dq Li deny . 412.El 413.Pp 414ACL entries applied from a file using the 415.Fl M 416or 417.Fl X 418options shall be of the following form: one ACL entry per line, as 419previously specified; whitespace is ignored; any text after a 420.Ql # 421is ignored (comments). 422.Pp 423NFSv4 ACL entries are evaluated in their visible order. 424.Pp 425Multiple ACL entries specified on the command line are 426separated by commas. 427.Pp 428Note that the file owner is always granted the read_acl, write_acl, 429read_attributes, and write_attributes permissions, even if the ACL 430would deny it. 431.Sh EXIT STATUS 432.Ex -std 433.Sh EXAMPLES 434.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir 435.Dl setfacl -d -m g:admins:rwx dir 436.Pp 437The first command sets the mandatory elements of the POSIX.1e default ACL. 438The second command specifies that users in group admins can have read, write, and execute 439permissions for directory named "dir". 440It should be noted that any files or directories created underneath "dir" will 441inherit these default ACLs upon creation. 442.Pp 443.Dl setfacl -m u::rwx,g:mail:rw file 444.Pp 445Sets read, write, and execute permissions for the 446.Pa file 447owner's POSIX.1e ACL entry and read and write permissions for group mail on 448.Pa file . 449.Pp 450.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file 451.Pp 452Semantically equal to the example above, but for NFSv4 ACL. 453.Pp 454.Dl setfacl -M file1 file2 455.Pp 456Sets/updates the ACL entries contained in 457.Pa file1 458on 459.Pa file2 . 460.Pp 461.Dl setfacl -x g:mail:rw file 462.Pp 463Remove the group mail POSIX.1e ACL entry containing read/write permissions 464from 465.Pa file . 466.Pp 467.Dl setfacl -x0 file 468.Pp 469Remove the first entry from the NFSv4 ACL from 470.Pa file . 471.Pp 472.Dl setfacl -bn file 473.Pp 474Remove all 475.Dq Li access 476ACL entries except for the three required from 477.Pa file . 478.Pp 479.Dl getfacl file1 | setfacl -b -n -M - file2 480.Pp 481Copy ACL entries from 482.Pa file1 483to 484.Pa file2 . 485.Sh SEE ALSO 486.Xr getfacl 1 , 487.Xr acl 3 , 488.Xr getextattr 8 , 489.Xr setextattr 8 , 490.Xr acl 9 , 491.Xr extattr 9 492.Sh STANDARDS 493The 494.Nm 495utility is expected to be 496.Tn IEEE 497Std 1003.2c compliant. 498.Sh HISTORY 499Extended Attribute and Access Control List support was developed 500as part of the 501.Tn TrustedBSD 502Project and introduced in 503.Fx 5.0 . 504NFSv4 ACL support was introduced in 505.Fx 8.1 . 506.Sh AUTHORS 507.An -nosplit 508The 509.Nm 510utility was written by 511.An Chris D. Faulhaber Aq Mt jedgar@fxp.org . 512NFSv4 ACL support was implemented by 513.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org . 514