1.\" 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE 18.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd January 7, 2001 29.Dt SETFACL 1 30.Os 31.Sh NAME 32.Nm setfacl 33.Nd set ACL information 34.Sh SYNOPSIS 35.Nm 36.Op Fl bdkn 37.Op Fl m Ar entries 38.Op Fl M Ar file1 39.Op Fl x Ar entries 40.Op Fl X Ar file1 41.Op Ar 42.Sh DESCRIPTION 43The 44.Nm 45utility sets discretionary access control information on 46the specified file(s). 47.Pp 48The following options are available: 49.Bl -tag -width indent 50.It Fl b 51Remove all ACL entries except for the three required entries. 52.It Fl d 53The operations apply to the default ACL entries instead of 54access ACL entries. Currently only directories may have 55default ACL's. 56.It Fl k 57Delete any default ACL entries on the specified files. It 58is not considered an error if the specified files do not have 59any default ACL entries. An error will be reported if any of 60the specified files cannot have a default entry (i.e.\& 61non-directories). 62.It Fl m Ar entries 63Modify the ACL entries on the specified files by adding new 64entries and modifying existing ACL entries with the ACL entries 65specified in 66.Ar entries . 67.It Fl M Ar file 68Modify the ACL entries on the specified files by adding new 69ACL entries and modifying existing ACL entries with the ACL 70entries specified in the file 71.Ar file . 72If 73.Ar file 74is 75.Fl , 76the input is taken from stdin. 77.It Fl n 78Do not recalculate the permissions associated with the ACL 79mask entry. 80.It Fl x Ar entries 81Remove the ACL entries specified in 82.Ar entries 83from the access or default ACL of the specified files. 84.It Fl X Ar file 85Remove the ACL entries specified in the file 86.Ar file 87from the access or default ACL of the specified files. 88.El 89.Pp 90The above options are evaluated in the order specified 91on the command-line. 92.Pp 93Multiple ACL entries specified on the command line are 94separated by commas. 95.Sh ACL ENTRIES 96An ACL entry contains three colon-separated fields: 97an ACL tag, an ACL qualifier, and discretionary access 98permissions: 99.Bl -tag -width indent 100.It Ar "ACL tag" 101The ACL tag specifies the ACL entry type and consists of 102one of the following: 103.Dq Li user 104or 105.Ql u 106specifying the access 107granted to the owner of the file or a specified user; 108.Dq Li group 109or 110.Ql g 111specifying the access granted to the file owning group 112or a specified group; 113.Dq Li other 114or 115.Ql o 116specifying the access 117granted to any process that does not match any user or group 118ACL entry; 119.Dq Li mask 120or 121.Ql m 122specifying the maximum access 123granted to any ACL entry except the 124.Dq Li user 125ACL entry for the file owner and the 126.Dq Li other 127ACL entry. 128.It Ar "ACL qualifier" 129The ACL qualifier field describes the user or group associated with 130the ACL entry. It may consist of one of the following: uid or 131user name, gid or group name, or empty. For 132.Dq Li user 133ACL entries, an empty field specifies access granted to the 134file owner. For 135.Dq Li group 136ACL entries, an empty field specifies access granted to the 137file owning group. 138.Dq Li mask 139and 140.Dq Li other 141ACL entries do not use this field. 142.It Ar "access permissions" 143The access permissions field contains up to one of each of 144the following: 145.Ql r , 146.Ql w , 147and 148.Ql x 149to set read, write, and 150execute permissions, respectively. Each of these may be excluded 151or replaced with a 152.Ql - 153character to indicate no access. 154.El 155.Pp 156A 157.Dq Li mask 158ACL entry is required on a file with any ACL entries other than 159the default 160.Dq Li user , 161.Dq Li group , 162and 163.Dq Li other 164ACL entries. If the 165.Fl n 166option is not specified and no 167.Dq Li mask 168ACL entry was specified, the 169.Nm 170utility 171will apply a 172.Dq Li mask 173ACL entry consisting of the union of the permissions associated 174with all 175.Dq Li group 176ACL entries in the resulting ACL. 177.Pp 178ACL entries applied from a file using the 179.Fl M 180or 181.Fl X 182options shall be of the following form: one ACL entry per line, as 183previously specified; whitespace is ignored; any text after a 184.Ql # 185is ignored (comments). 186.Pp 187When ACL entries are evaluated, the access check algorithm checks 188the ACL entries in the following order: file owner, 189.Dq Li user 190ACL entries, file owning group, 191.Dq Li group 192ACL entries, and 193.Dq Li other 194ACL entry. 195.Sh DIAGNOSTICS 196The 197.Nm 198utility returns 0 on success and >0 if an error occurs. 199.Sh EXAMPLES 200.Dl setfacl -m u::rwx,g:mail:rw file 201.Pp 202Sets read, write, and execute permissions for the 203.Pa file 204owner's ACL entry and read and write permissions for group mail on 205.Pa file . 206.Pp 207.Dl setfacl -M file1 file2 208.Pp 209Sets/updates the ACL entries contained in 210.Pa file1 211on 212.Pa file2 . 213.Pp 214.Dl setfacl -x g:mail:rw file 215.Pp 216Remove the group mail ACL entry containing read/write permissions 217from 218.Pa file. 219.Pp 220.Dl setfacl -b file 221.Pp 222Remove all ACL entries except for the three required 223entries from 224.Pa file . 225.Pp 226.Dl getfacl file1 | setfacl -b -n -M - file2 227.Pp 228Copy ACL entries from 229.Pa file1 230to 231.Pa file2 . 232.Sh SEE ALSO 233.Xr getfacl 1 , 234.Xr acl 3 , 235.Xr getextattr 8 , 236.Xr setextattr 8 , 237.Xr acl 9 , 238.Xr extattr 9 239.Sh STANDARDS 240The 241.Nm 242utility is expected to be 243.Tn IEEE 244Std 1003.2c compliant. 245.Sh HISTORY 246Extended Attribute and Access Control List support was developed 247as part of the 248.Tn TrustedBSD 249Project and introduced in 250.Fx 5.0 . 251.Sh AUTHORS 252The 253.Nm 254utility was written by 255.An Chris D. Faulhaber Aq jedgar@fxp.org . 256