1.\"- 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" Copyright (c) 2011 Edward Tomasz Napierała 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd January 23, 2016 30.Dt SETFACL 1 31.Os 32.Sh NAME 33.Nm setfacl 34.Nd set ACL information 35.Sh SYNOPSIS 36.Nm 37.Op Fl bdhkn 38.Op Fl a Ar position entries 39.Op Fl m Ar entries 40.Op Fl M Ar file 41.Op Fl x Ar entries | position 42.Op Fl X Ar file 43.Op Ar 44.Sh DESCRIPTION 45The 46.Nm 47utility sets discretionary access control information on 48the specified file(s). 49If no files are specified, or the list consists of the only 50.Sq Fl , 51the file names are taken from the standard input. 52.Pp 53The following options are available: 54.Bl -tag -width indent 55.It Fl a Ar position entries 56Modify the ACL on the specified files by inserting new 57ACL entries 58specified in 59.Ar entries , 60starting at position 61.Ar position , 62counting from zero. 63This option is only applicable to NFSv4 ACLs. 64.It Fl b 65Remove all ACL entries except for the ones synthesized 66from the file mode - the three mandatory entries in case 67of POSIX.1e ACL. 68If the POSIX.1e ACL contains a 69.Dq Li mask 70entry, the permissions of the 71.Dq Li group 72entry in the resulting ACL will be set to the permission 73associated with both the 74.Dq Li group 75and 76.Dq Li mask 77entries of the current ACL. 78.It Fl d 79The operations apply to the default ACL entries instead of 80access ACL entries. 81Currently only directories may have 82default ACL's. This option is not applicable to NFSv4 ACLs. 83.It Fl h 84If the target of the operation is a symbolic link, perform the operation 85on the symbolic link itself, rather than following the link. 86.It Fl k 87Delete any default ACL entries on the specified files. 88It 89is not considered an error if the specified files do not have 90any default ACL entries. 91An error will be reported if any of 92the specified files cannot have a default entry (i.e.\& 93non-directories). This option is not applicable to NFSv4 ACLs. 94.It Fl m Ar entries 95Modify the ACL on the specified file. 96New entries will be added, and existing entries will be modified 97according to the 98.Ar entries 99argument. 100For NFSv4 ACLs, it is recommended to use the 101.Fl a 102and 103.Fl x 104options instead. 105.It Fl M Ar file 106Modify the ACL entries on the specified files by adding new 107ACL entries and modifying existing ACL entries with the ACL 108entries specified in the file 109.Ar file . 110If 111.Ar file 112is 113.Fl , 114the input is taken from stdin. 115.It Fl n 116Do not recalculate the permissions associated with the ACL 117mask entry. This option is not applicable to NFSv4 ACLs. 118.It Fl x Ar entries | position 119If 120.Ar entries 121is specified, remove the ACL entries specified there 122from the access or default ACL of the specified files. 123Otherwise, remove entry at index 124.Ar position , 125counting from zero. 126.It Fl X Ar file 127Remove the ACL entries specified in the file 128.Ar file 129from the access or default ACL of the specified files. 130.El 131.Pp 132The above options are evaluated in the order specified 133on the command-line. 134.Sh POSIX.1e ACL ENTRIES 135A POSIX.1E ACL entry contains three colon-separated fields: 136an ACL tag, an ACL qualifier, and discretionary access 137permissions: 138.Bl -tag -width indent 139.It Ar "ACL tag" 140The ACL tag specifies the ACL entry type and consists of 141one of the following: 142.Dq Li user 143or 144.Ql u 145specifying the access 146granted to the owner of the file or a specified user; 147.Dq Li group 148or 149.Ql g 150specifying the access granted to the file owning group 151or a specified group; 152.Dq Li other 153or 154.Ql o 155specifying the access 156granted to any process that does not match any user or group 157ACL entry; 158.Dq Li mask 159or 160.Ql m 161specifying the maximum access 162granted to any ACL entry except the 163.Dq Li user 164ACL entry for the file owner and the 165.Dq Li other 166ACL entry. 167.It Ar "ACL qualifier" 168The ACL qualifier field describes the user or group associated with 169the ACL entry. 170It may consist of one of the following: uid or 171user name, gid or group name, or empty. 172For 173.Dq Li user 174ACL entries, an empty field specifies access granted to the 175file owner. 176For 177.Dq Li group 178ACL entries, an empty field specifies access granted to the 179file owning group. 180.Dq Li mask 181and 182.Dq Li other 183ACL entries do not use this field. 184.It Ar "access permissions" 185The access permissions field contains up to one of each of 186the following: 187.Ql r , 188.Ql w , 189and 190.Ql x 191to set read, write, and 192execute permissions, respectively. 193Each of these may be excluded 194or replaced with a 195.Ql - 196character to indicate no access. 197.El 198.Pp 199A 200.Dq Li mask 201ACL entry is required on a file with any ACL entries other than 202the default 203.Dq Li user , 204.Dq Li group , 205and 206.Dq Li other 207ACL entries. 208If the 209.Fl n 210option is not specified and no 211.Dq Li mask 212ACL entry was specified, the 213.Nm 214utility 215will apply a 216.Dq Li mask 217ACL entry consisting of the union of the permissions associated 218with all 219.Dq Li group 220ACL entries in the resulting ACL. 221.Pp 222Traditional POSIX interfaces acting on file system object modes have 223modified semantics in the presence of POSIX.1e extended ACLs. 224When a mask entry is present on the access ACL of an object, the mask 225entry is substituted for the group bits; this occurs in programs such 226as 227.Xr stat 1 228or 229.Xr ls 1 . 230When the mode is modified on an object that has a mask entry, the 231changes applied to the group bits will actually be applied to the 232mask entry. 233These semantics provide for greater application compatibility: 234applications modifying the mode instead of the ACL will see 235conservative behavior, limiting the effective rights granted by all 236of the additional user and group entries; this occurs in programs 237such as 238.Xr chmod 1 . 239.Pp 240ACL entries applied from a file using the 241.Fl M 242or 243.Fl X 244options shall be of the following form: one ACL entry per line, as 245previously specified; whitespace is ignored; any text after a 246.Ql # 247is ignored (comments). 248.Pp 249When POSIX.1e ACL entries are evaluated, the access check algorithm checks 250the ACL entries in the following order: file owner, 251.Dq Li user 252ACL entries, file owning group, 253.Dq Li group 254ACL entries, and 255.Dq Li other 256ACL entry. 257.Pp 258Multiple ACL entries specified on the command line are 259separated by commas. 260.Pp 261It is possible for files and directories to inherit ACL entries from their 262parent directory. 263This is accomplished through the use of the default ACL. 264It should be noted that before you can specify a default ACL, the mandatory 265ACL entries for user, group, other and mask must be set. 266For more details see the examples below. 267Default ACLs can be created by using 268.Fl d . 269.Sh NFSv4 ACL ENTRIES 270An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, 271an ACL qualifier (only for 272.Dq Li user 273and 274.Dq Li group 275tags), discretionary access permissions, ACL inheritance flags, and ACL type: 276.Bl -tag -width indent 277.It Ar "ACL tag" 278The ACL tag specifies the ACL entry type and consists of 279one of the following: 280.Dq Li user 281or 282.Ql u 283specifying the access 284granted to the specified user; 285.Dq Li group 286or 287.Ql g 288specifying the access granted to the specified group; 289.Dq Li owner@ 290specifying the access granted to the owner of the file; 291.Dq Li group@ 292specifying the access granted to the file owning group; 293.Dq Li everyone@ 294specifying everyone. Note that 295.Dq Li everyone@ 296is not the same as traditional Unix 297.Dq Li other 298- it means, 299literally, everyone, including file owner and owning group. 300.It Ar "ACL qualifier" 301The ACL qualifier field describes the user or group associated with 302the ACL entry. 303It may consist of one of the following: uid or 304user name, or gid or group name. In entries whose tag type is 305one of 306.Dq Li owner@ , 307.Dq Li group@ , 308or 309.Dq Li everyone@ , 310this field is omitted altogether, including the trailing comma. 311.It Ar "access permissions" 312Access permissions may be specified in either short or long form. 313Short and long forms may not be mixed. 314Permissions in long form are separated by the 315.Ql / 316character; in short form, they are concatenated together. 317Valid permissions are: 318.Bl -tag -width ".Dv modify_set" 319.It Short 320Long 321.It r 322read_data 323.It w 324write_data 325.It x 326execute 327.It p 328append_data 329.It D 330delete_child 331.It d 332delete 333.It a 334read_attributes 335.It A 336write_attributes 337.It R 338read_xattr 339.It W 340write_xattr 341.It c 342read_acl 343.It C 344write_acl 345.It o 346write_owner 347.It s 348synchronize 349.El 350.Pp 351In addition, the following permission sets may be used: 352.Bl -tag -width ".Dv modify_set" 353.It Set 354Permissions 355.It full_set 356all permissions, as shown above 357.It modify_set 358all permissions except write_acl and write_owner 359.It read_set 360read_data, read_attributes, read_xattr and read_acl 361.It write_set 362write_data, append_data, write_attributes and write_xattr 363.El 364.It Ar "ACL inheritance flags" 365Inheritance flags may be specified in either short or long form. 366Short and long forms may not be mixed. 367Access flags in long form are separated by the 368.Ql / 369character; in short form, they are concatenated together. 370Valid inheritance flags are: 371.Bl -tag -width ".Dv short" 372.It Short 373Long 374.It f 375file_inherit 376.It d 377dir_inherit 378.It i 379inherit_only 380.It n 381no_propagate 382.It I 383inherited 384.El 385.Pp 386Other than the "inherited" flag, inheritance flags may be only set on directories. 387.It Ar "ACL type" 388The ACL type field is either 389.Dq Li allow 390or 391.Dq Li deny . 392.El 393.Pp 394ACL entries applied from a file using the 395.Fl M 396or 397.Fl X 398options shall be of the following form: one ACL entry per line, as 399previously specified; whitespace is ignored; any text after a 400.Ql # 401is ignored (comments). 402.Pp 403NFSv4 ACL entries are evaluated in their visible order. 404.Pp 405Multiple ACL entries specified on the command line are 406separated by commas. 407.Pp 408Note that the file owner is always granted the read_acl, write_acl, 409read_attributes, and write_attributes permissions, even if the ACL 410would deny it. 411.Sh EXIT STATUS 412.Ex -std 413.Sh EXAMPLES 414.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir 415.Dl setfacl -d -m g:admins:rwx dir 416.Pp 417The first command sets the mandatory elements of the POSIX.1e default ACL. 418The second command specifies that users in group admins can have read, write, and execute 419permissions for directory named "dir". 420It should be noted that any files or directories created underneath "dir" will 421inherit these default ACLs upon creation. 422.Pp 423.Dl setfacl -m u::rwx,g:mail:rw file 424.Pp 425Sets read, write, and execute permissions for the 426.Pa file 427owner's POSIX.1e ACL entry and read and write permissions for group mail on 428.Pa file . 429.Pp 430.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file 431.Pp 432Semantically equal to the example above, but for NFSv4 ACL. 433.Pp 434.Dl setfacl -M file1 file2 435.Pp 436Sets/updates the ACL entries contained in 437.Pa file1 438on 439.Pa file2 . 440.Pp 441.Dl setfacl -x g:mail:rw file 442.Pp 443Remove the group mail POSIX.1e ACL entry containing read/write permissions 444from 445.Pa file . 446.Pp 447.Dl setfacl -x0 file 448.Pp 449Remove the first entry from the NFSv4 ACL from 450.Pa file . 451.Pp 452.Dl setfacl -bn file 453.Pp 454Remove all 455.Dq Li access 456ACL entries except for the three required from 457.Pa file . 458.Pp 459.Dl getfacl file1 | setfacl -b -n -M - file2 460.Pp 461Copy ACL entries from 462.Pa file1 463to 464.Pa file2 . 465.Sh SEE ALSO 466.Xr getfacl 1 , 467.Xr acl 3 , 468.Xr getextattr 8 , 469.Xr setextattr 8 , 470.Xr acl 9 , 471.Xr extattr 9 472.Sh STANDARDS 473The 474.Nm 475utility is expected to be 476.Tn IEEE 477Std 1003.2c compliant. 478.Sh HISTORY 479Extended Attribute and Access Control List support was developed 480as part of the 481.Tn TrustedBSD 482Project and introduced in 483.Fx 5.0 . 484NFSv4 ACL support was introduced in 485.Fx 8.1 . 486.Sh AUTHORS 487.An -nosplit 488The 489.Nm 490utility was written by 491.An Chris D. Faulhaber Aq Mt jedgar@fxp.org . 492NFSv4 ACL support was implemented by 493.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org . 494