xref: /freebsd/bin/setfacl/setfacl.1 (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.Dd April 29, 2023
28.Dt SETFACL 1
29.Os
30.Sh NAME
31.Nm setfacl
32.Nd set ACL information
33.Sh SYNOPSIS
34.Nm
35.Op Fl R Op Fl H | L | P
36.Op Fl bdhkn
37.Op Fl a Ar position entries
38.Op Fl m Ar entries
39.Op Fl M Ar file
40.Op Fl x Ar entries | position
41.Op Fl X Ar file
42.Op Ar
43.Sh DESCRIPTION
44The
45.Nm
46utility sets discretionary access control information on
47the specified file(s).
48If no files are specified, or the list consists of the only
49.Sq Fl ,
50the file names are taken from the standard input.
51.Pp
52The following options are available:
53.Bl -tag -width indent
54.It Fl a Ar position entries
55Modify the ACL on the specified files by inserting new
56ACL entries
57specified in
58.Ar entries ,
59starting at position
60.Ar position ,
61counting from zero.
62This option is only applicable to NFSv4 ACLs.
63.It Fl b
64Remove all ACL entries except for the ones synthesized
65from the file mode - the three mandatory entries in case
66of POSIX.1e ACL.
67If the POSIX.1e ACL contains a
68.Dq Li mask
69entry, the permissions of the
70.Dq Li group
71entry in the resulting ACL will be set to the permission
72associated with both the
73.Dq Li group
74and
75.Dq Li mask
76entries of the current ACL.
77.It Fl d
78The operations apply to the default ACL entries instead of
79access ACL entries.
80Currently only directories may have
81default ACL's.
82This option is not applicable to NFSv4 ACLs.
83.It Fl h
84If the target of the operation is a symbolic link, perform the operation
85on the symbolic link itself, rather than following the link.
86.It Fl H
87If the
88.Fl R
89option is specified, symbolic links on the command line are followed
90and hence unaffected by the command.
91(Symbolic links encountered during tree traversal are not followed.)
92.It Fl k
93Delete any default ACL entries on the specified files.
94It
95is not considered an error if the specified files do not have
96any default ACL entries.
97An error will be reported if any of
98the specified files cannot have a default entry (i.e.,
99non-directories).
100This option is not applicable to NFSv4 ACLs.
101.It Fl L
102If the
103.Fl R
104option is specified, all symbolic links are followed.
105.It Fl m Ar entries
106Modify the ACL on the specified file.
107New entries will be added, and existing entries will be modified
108according to the
109.Ar entries
110argument.
111For NFSv4 ACLs, it is recommended to use the
112.Fl a
113and
114.Fl x
115options instead.
116.It Fl M Ar file
117Modify the ACL entries on the specified files by adding new
118ACL entries and modifying existing ACL entries with the ACL
119entries specified in the file
120.Ar file .
121If
122.Ar file
123is
124.Fl ,
125the input is taken from stdin.
126.It Fl n
127Do not recalculate the permissions associated with the ACL
128mask entry.
129This option is not applicable to NFSv4 ACLs.
130.It Fl P
131If the
132.Fl R
133option is specified, no symbolic links are followed.
134This is the default.
135.It Fl R
136Perform the action recursively on any specified directories.
137When modifying or adding NFSv4 ACL entries, inheritance flags
138are applied only to directories.
139.It Fl x Ar entries | position
140If
141.Ar entries
142is specified, remove the ACL entries specified there
143from the access or default ACL of the specified files.
144Otherwise, remove entry at index
145.Ar position ,
146counting from zero.
147.It Fl X Ar file
148Remove the ACL entries specified in the file
149.Ar file
150from the access or default ACL of the specified files.
151.El
152.Pp
153The above options are evaluated in the order specified
154on the command-line.
155.Sh POSIX.1e ACL ENTRIES
156A POSIX.1E ACL entry contains three colon-separated fields:
157an ACL tag, an ACL qualifier, and discretionary access
158permissions:
159.Bl -tag -width indent
160.It Ar "ACL tag"
161The ACL tag specifies the ACL entry type and consists of
162one of the following:
163.Dq Li user
164or
165.Ql u
166specifying the access
167granted to the owner of the file or a specified user;
168.Dq Li group
169or
170.Ql g
171specifying the access granted to the file owning group
172or a specified group;
173.Dq Li other
174or
175.Ql o
176specifying the access
177granted to any process that does not match any user or group
178ACL entry;
179.Dq Li mask
180or
181.Ql m
182specifying the maximum access
183granted to any ACL entry except the
184.Dq Li user
185ACL entry for the file owner and the
186.Dq Li other
187ACL entry.
188.It Ar "ACL qualifier"
189The ACL qualifier field describes the user or group associated with
190the ACL entry.
191It may consist of one of the following: uid or
192user name, gid or group name, or empty.
193For
194.Dq Li user
195ACL entries, an empty field specifies access granted to the
196file owner.
197For
198.Dq Li group
199ACL entries, an empty field specifies access granted to the
200file owning group.
201.Dq Li mask
202and
203.Dq Li other
204ACL entries do not use this field.
205.It Ar "access permissions"
206The access permissions field contains up to one of each of
207the following:
208.Ql r ,
209.Ql w ,
210and
211.Ql x
212to set read, write, and
213execute permissions, respectively.
214Each of these may be excluded
215or replaced with a
216.Ql -
217character to indicate no access.
218.El
219.Pp
220A
221.Dq Li mask
222ACL entry is required on a file with any ACL entries other than
223the default
224.Dq Li user ,
225.Dq Li group ,
226and
227.Dq Li other
228ACL entries.
229If the
230.Fl n
231option is not specified and no
232.Dq Li mask
233ACL entry was specified, the
234.Nm
235utility
236will apply a
237.Dq Li mask
238ACL entry consisting of the union of the permissions associated
239with all
240.Dq Li group
241ACL entries in the resulting ACL.
242.Pp
243Traditional POSIX interfaces acting on file system object modes have
244modified semantics in the presence of POSIX.1e extended ACLs.
245When a mask entry is present on the access ACL of an object, the mask
246entry is substituted for the group bits; this occurs in programs such
247as
248.Xr stat 1
249or
250.Xr ls 1 .
251When the mode is modified on an object that has a mask entry, the
252changes applied to the group bits will actually be applied to the
253mask entry.
254These semantics provide for greater application compatibility:
255applications modifying the mode instead of the ACL will see
256conservative behavior, limiting the effective rights granted by all
257of the additional user and group entries; this occurs in programs
258such as
259.Xr chmod 1 .
260.Pp
261ACL entries applied from a file using the
262.Fl M
263or
264.Fl X
265options shall be of the following form: one ACL entry per line, as
266previously specified; whitespace is ignored; any text after a
267.Ql #
268is ignored (comments).
269.Pp
270When POSIX.1e ACL entries are evaluated, the access check algorithm checks
271the ACL entries in the following order: file owner,
272.Dq Li user
273ACL entries, file owning group,
274.Dq Li group
275ACL entries, and
276.Dq Li other
277ACL entry.
278.Pp
279Multiple ACL entries specified on the command line are
280separated by commas.
281.Pp
282It is possible for files and directories to inherit ACL entries from their
283parent directory.
284This is accomplished through the use of the default ACL.
285It should be noted that before you can specify a default ACL, the mandatory
286ACL entries for user, group, other and mask must be set.
287For more details see the examples below.
288Default ACLs can be created by using
289.Fl d .
290.Sh NFSv4 ACL ENTRIES
291An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
292an ACL qualifier (only for
293.Dq Li user
294and
295.Dq Li group
296tags), discretionary access permissions, ACL inheritance flags, and ACL type:
297.Bl -tag -width indent
298.It Ar "ACL tag"
299The ACL tag specifies the ACL entry type and consists of
300one of the following:
301.Dq Li user
302or
303.Ql u
304specifying the access
305granted to the specified user;
306.Dq Li group
307or
308.Ql g
309specifying the access granted to the specified group;
310.Dq Li owner@
311specifying the access granted to the owner of the file;
312.Dq Li group@
313specifying the access granted to the file owning group;
314.Dq Li everyone@
315specifying everyone.
316Note that
317.Dq Li everyone@
318is not the same as traditional Unix
319.Dq Li other
320- it means,
321literally, everyone, including file owner and owning group.
322.It Ar "ACL qualifier"
323The ACL qualifier field describes the user or group associated with
324the ACL entry.
325It may consist of one of the following: uid or
326user name, or gid or group name.
327In entries whose tag type is one of
328.Dq Li owner@ ,
329.Dq Li group@ ,
330or
331.Dq Li everyone@ ,
332this field is omitted altogether, including the trailing colon.
333.It Ar "access permissions"
334Access permissions may be specified in either short or long form.
335Short and long forms may not be mixed.
336Permissions in long form are separated by the
337.Ql /
338character; in short form, they are concatenated together.
339Valid permissions are:
340.Bl -tag -width ".Dv modify_set"
341.It Short
342Long
343.It r
344read_data
345.It w
346write_data
347.It x
348execute
349.It p
350append_data
351.It D
352delete_child
353.It d
354delete
355.It a
356read_attributes
357.It A
358write_attributes
359.It R
360read_xattr
361.It W
362write_xattr
363.It c
364read_acl
365.It C
366write_acl
367.It o
368write_owner
369.It s
370synchronize
371.El
372.Pp
373In addition, the following permission sets may be used:
374.Bl -tag -width ".Dv modify_set"
375.It Set
376Permissions
377.It full_set
378all permissions, as shown above
379.It modify_set
380all permissions except write_acl and write_owner
381.It read_set
382read_data, read_attributes, read_xattr and read_acl
383.It write_set
384write_data, append_data, write_attributes and write_xattr
385.El
386.It Ar "ACL inheritance flags"
387Inheritance flags may be specified in either short or long form.
388Short and long forms may not be mixed.
389Access flags in long form are separated by the
390.Ql /
391character; in short form, they are concatenated together.
392Valid inheritance flags are:
393.Bl -tag -width ".Dv short"
394.It Short
395Long
396.It f
397file_inherit
398.It d
399dir_inherit
400.It i
401inherit_only
402.It n
403no_propagate
404.It I
405inherited
406.El
407.Pp
408Other than the "inherited" flag, inheritance flags may be only set on directories.
409.It Ar "ACL type"
410The ACL type field is either
411.Dq Li allow
412or
413.Dq Li deny .
414.El
415.Pp
416ACL entries applied from a file using the
417.Fl M
418or
419.Fl X
420options shall be of the following form: one ACL entry per line, as
421previously specified; whitespace is ignored; any text after a
422.Ql #
423is ignored (comments).
424.Pp
425NFSv4 ACL entries are evaluated in their visible order.
426.Pp
427Multiple ACL entries specified on the command line are
428separated by commas.
429.Pp
430Note that the file owner is always granted the read_acl, write_acl,
431read_attributes, and write_attributes permissions, even if the ACL
432would deny it.
433.Sh EXIT STATUS
434.Ex -std
435.Sh EXAMPLES
436.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
437.Dl setfacl -d -m g:admins:rwx dir
438.Pp
439The first command sets the mandatory elements of the POSIX.1e default ACL.
440The second command specifies that users in group admins can have read, write, and execute
441permissions for directory named "dir".
442It should be noted that any files or directories created underneath "dir" will
443inherit these default ACLs upon creation.
444.Pp
445.Dl setfacl -m u::rwx,g:mail:rw file
446.Pp
447Sets read, write, and execute permissions for the
448.Pa file
449owner's POSIX.1e ACL entry and read and write permissions for group mail on
450.Pa file .
451.Pp
452.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
453.Pp
454Semantically equal to the example above, but for NFSv4 ACL.
455.Pp
456.Dl setfacl -M file1 file2
457.Pp
458Sets/updates the ACL entries contained in
459.Pa file1
460on
461.Pa file2 .
462.Pp
463.Dl setfacl -x g:mail:rw file
464.Pp
465Remove the group mail POSIX.1e ACL entry containing read/write permissions
466from
467.Pa file .
468.Pp
469.Dl setfacl -x0 file
470.Pp
471Remove the first entry from the NFSv4 ACL from
472.Pa file .
473.Pp
474.Dl setfacl -bn file
475.Pp
476Remove all
477.Dq Li access
478ACL entries except for the three required from
479.Pa file .
480.Pp
481.Dl getfacl file1 | setfacl -b -n -M - file2
482.Pp
483Copy ACL entries from
484.Pa file1
485to
486.Pa file2 .
487.Sh SEE ALSO
488.Xr getfacl 1 ,
489.Xr acl 3 ,
490.Xr getextattr 8 ,
491.Xr setextattr 8 ,
492.Xr acl 9 ,
493.Xr extattr 9
494.Sh STANDARDS
495The
496.Nm
497utility is expected to be
498.Tn IEEE
499Std 1003.2c compliant.
500.Sh HISTORY
501Extended Attribute and Access Control List support was developed
502as part of the
503.Tn TrustedBSD
504Project and introduced in
505.Fx 5.0 .
506NFSv4 ACL support was introduced in
507.Fx 8.1 .
508.Sh AUTHORS
509.An -nosplit
510The
511.Nm
512utility was written by
513.An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
514NFSv4 ACL support was implemented by
515.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .
516