xref: /freebsd/bin/setfacl/setfacl.1 (revision 4f1f4356f3012928b463f9ef1710fb908e48b1e2)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.\" $FreeBSD$
27.\"
28.Dd July 27, 2010
29.Dt SETFACL 1
30.Os
31.Sh NAME
32.Nm setfacl
33.Nd set ACL information
34.Sh SYNOPSIS
35.Nm
36.Op Fl bdhkn
37.Op Fl a Ar position entries
38.Op Fl m Ar entries
39.Op Fl M Ar file
40.Op Fl x Ar entries | position
41.Op Fl X Ar file
42.Op Ar
43.Sh DESCRIPTION
44The
45.Nm
46utility sets discretionary access control information on
47the specified file(s).
48If no files are specified, or the list consists of the only
49.Sq Fl ,
50the file names are taken from the standard input.
51.Pp
52The following options are available:
53.Bl -tag -width indent
54.It Fl a Ar position entries
55Modify the ACL on the specified files by inserting new
56ACL entries
57specified in
58.Ar entries ,
59starting at position
60.Ar position ,
61counting from zero.
62This option is only applicable to NFSv4 ACLs.
63.It Fl b
64Remove all ACL entries except for the three required entries
65(POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).
66If the POSIX.1e ACL contains a
67.Dq Li mask
68entry, the permissions of the
69.Dq Li group
70entry in the resulting ACL will be set to the permission
71associated with both the
72.Dq Li group
73and
74.Dq Li mask
75entries of the current ACL.
76.It Fl d
77The operations apply to the default ACL entries instead of
78access ACL entries.
79Currently only directories may have
80default ACL's.  This option is not applicable to NFSv4 ACLs.
81.It Fl h
82If the target of the operation is a symbolic link, perform the operation
83on the symbolic link itself, rather than following the link.
84.It Fl k
85Delete any default ACL entries on the specified files.
86It
87is not considered an error if the specified files do not have
88any default ACL entries.
89An error will be reported if any of
90the specified files cannot have a default entry (i.e.\&
91non-directories).  This option is not applicable to NFSv4 ACLs.
92.It Fl m Ar entries
93Modify the ACL entries on the specified files by adding new
94entries and modifying existing ACL entries with the ACL entries
95specified in
96.Ar entries .
97.It Fl M Ar file
98Modify the ACL entries on the specified files by adding new
99ACL entries and modifying existing ACL entries with the ACL
100entries specified in the file
101.Ar file .
102If
103.Ar file
104is
105.Fl ,
106the input is taken from stdin.
107.It Fl n
108Do not recalculate the permissions associated with the ACL
109mask entry.  This option is not applicable to NFSv4 ACLs.
110.It Fl x Ar entries | position
111If
112.Ar entries
113is specified, remove the ACL entries specified there
114from the access or default ACL of the specified files.
115Otherwise, remove entry at index
116.Ar position ,
117counting from zero.
118.It Fl X Ar file
119Remove the ACL entries specified in the file
120.Ar file
121from the access or default ACL of the specified files.
122.El
123.Pp
124The above options are evaluated in the order specified
125on the command-line.
126.Sh POSIX.1e ACL ENTRIES
127A POSIX.1E ACL entry contains three colon-separated fields:
128an ACL tag, an ACL qualifier, and discretionary access
129permissions:
130.Bl -tag -width indent
131.It Ar "ACL tag"
132The ACL tag specifies the ACL entry type and consists of
133one of the following:
134.Dq Li user
135or
136.Ql u
137specifying the access
138granted to the owner of the file or a specified user;
139.Dq Li group
140or
141.Ql g
142specifying the access granted to the file owning group
143or a specified group;
144.Dq Li other
145or
146.Ql o
147specifying the access
148granted to any process that does not match any user or group
149ACL entry;
150.Dq Li mask
151or
152.Ql m
153specifying the maximum access
154granted to any ACL entry except the
155.Dq Li user
156ACL entry for the file owner and the
157.Dq Li other
158ACL entry.
159.It Ar "ACL qualifier"
160The ACL qualifier field describes the user or group associated with
161the ACL entry.
162It may consist of one of the following: uid or
163user name, gid or group name, or empty.
164For
165.Dq Li user
166ACL entries, an empty field specifies access granted to the
167file owner.
168For
169.Dq Li group
170ACL entries, an empty field specifies access granted to the
171file owning group.
172.Dq Li mask
173and
174.Dq Li other
175ACL entries do not use this field.
176.It Ar "access permissions"
177The access permissions field contains up to one of each of
178the following:
179.Ql r ,
180.Ql w ,
181and
182.Ql x
183to set read, write, and
184execute permissions, respectively.
185Each of these may be excluded
186or replaced with a
187.Ql -
188character to indicate no access.
189.El
190.Pp
191A
192.Dq Li mask
193ACL entry is required on a file with any ACL entries other than
194the default
195.Dq Li user ,
196.Dq Li group ,
197and
198.Dq Li other
199ACL entries.
200If the
201.Fl n
202option is not specified and no
203.Dq Li mask
204ACL entry was specified, the
205.Nm
206utility
207will apply a
208.Dq Li mask
209ACL entry consisting of the union of the permissions associated
210with all
211.Dq Li group
212ACL entries in the resulting ACL.
213.Pp
214Traditional POSIX interfaces acting on file system object modes have
215modified semantics in the presence of POSIX.1e extended ACLs.
216When a mask entry is present on the access ACL of an object, the mask
217entry is substituted for the group bits; this occurs in programs such
218as
219.Xr stat 1
220or
221.Xr ls 1 .
222When the mode is modified on an object that has a mask entry, the
223changes applied to the group bits will actually be applied to the
224mask entry.
225These semantics provide for greater application compatibility:
226applications modifying the mode instead of the ACL will see
227conservative behavior, limiting the effective rights granted by all
228of the additional user and group entries; this occurs in programs
229such as
230.Xr chmod 1 .
231.Pp
232ACL entries applied from a file using the
233.Fl M
234or
235.Fl X
236options shall be of the following form: one ACL entry per line, as
237previously specified; whitespace is ignored; any text after a
238.Ql #
239is ignored (comments).
240.Pp
241When POSIX.1e ACL entries are evaluated, the access check algorithm checks
242the ACL entries in the following order: file owner,
243.Dq Li user
244ACL entries, file owning group,
245.Dq Li group
246ACL entries, and
247.Dq Li other
248ACL entry.
249.Pp
250Multiple ACL entries specified on the command line are
251separated by commas.
252.Pp
253It is possible for files and directories to inherit ACL entries from their
254parent directory.
255This is accomplished through the use of the default ACL.
256It should be noted that before you can specify a default ACL, the mandatory
257ACL entries for user, group, other and mask must be set.
258For more details see the examples below.
259Default ACLs can be created by using
260.Fl d .
261.Sh NFSv4 ACL ENTRIES
262An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
263an ACL qualifier (only for
264.Dq Li user
265and
266.Dq Li group
267tags), discretionary access permissions, ACL inheritance flags, and ACL type:
268.Bl -tag -width indent
269.It Ar "ACL tag"
270The ACL tag specifies the ACL entry type and consists of
271one of the following:
272.Dq Li user
273or
274.Ql u
275specifying the access
276granted to the specified user;
277.Dq Li group
278or
279.Ql g
280specifying the access granted to the specified group;
281.Dq Li owner@
282specifying the access granted to the owner of the file;
283.Dq Li group@
284specifying the access granted to the file owning group;
285.Dq Li everyone@
286specifying everyone.  Note that
287.Dq Li everyone@
288is not the same as traditional Unix
289.Dq Li other
290- it means,
291literally, everyone, including file owner and owning group.
292.It Ar "ACL qualifier"
293The ACL qualifier field describes the user or group associated with
294the ACL entry.
295It may consist of one of the following: uid or
296user name, or gid or group name.  In entries whose tag type is
297one of
298.Dq Li owner@ ,
299.Dq Li group@ ,
300or
301.Dq Li everyone@ ,
302this field is omitted altogether, including the trailing comma.
303.It Ar "access permissions"
304Access permissions may be specified in either short or long form.
305Short and long forms may not be mixed.
306Permissions in long form are separated by the
307.Ql /
308character; in short form, they are concatenated together.
309Valid permissions are:
310.Bl -tag -width ".Dv short"
311.It Short
312Long
313.It r
314read_data
315.It w
316write_data
317.It x
318execute
319.It p
320append_data
321.It d
322delete_child
323.It D
324delete
325.It a
326read_attributes
327.It A
328write_attributes
329.It R
330read_xattr
331.It W
332write_xattr
333.It c
334read_acl
335.It C
336write_acl
337.It o
338write_owner
339.It S
340synchronize
341.El
342.It Ar "ACL inheritance flags"
343Inheritance flags may be specified in either short or long form.
344Short and long forms may not be mixed.
345Access flags in long form are separated by the
346.Ql /
347character; in short form, they are concatenated together.
348Valid inheritance flags are:
349.Bl -tag -width ".Dv short"
350.It Short
351Long
352.It f
353file_inherit
354.It d
355dir_inherit
356.It i
357inherit_only
358.It n
359no_propagate
360.El
361.Pp
362Inheritance flags may be only set on directories.
363.It Ar "ACL type"
364The ACL type field is either
365.Dq Li allow
366or
367.Dq Li deny .
368.El
369.Pp
370ACL entries applied from a file using the
371.Fl M
372or
373.Fl X
374options shall be of the following form: one ACL entry per line, as
375previously specified; whitespace is ignored; any text after a
376.Ql #
377is ignored (comments).
378.Pp
379NFSv4 ACL entries are evaluated in their visible order.
380.Pp
381Multiple ACL entries specified on the command line are
382separated by commas.
383.Sh EXIT STATUS
384.Ex -std
385.Sh EXAMPLES
386.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
387.Dl setfacl -d -m g:admins:rwx dir
388.Pp
389The first command sets the mandatory elements of the POSIX.1e default ACL.
390The second command specifies that users in group admins can have read, write, and execute
391permissions for directory named "dir".
392It should be noted that any files or directories created underneath "dir" will
393inherit these default ACLs upon creation.
394.Pp
395.Dl setfacl -m u::rwx,g:mail:rw file
396.Pp
397Sets read, write, and execute permissions for the
398.Pa file
399owner's POSIX.1e ACL entry and read and write permissions for group mail on
400.Pa file .
401.Pp
402.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
403.Pp
404Semantically equal to the example above, but for NFSv4 ACL.
405.Pp
406.Dl setfacl -M file1 file2
407.Pp
408Sets/updates the ACL entries contained in
409.Pa file1
410on
411.Pa file2 .
412.Pp
413.Dl setfacl -x g:mail:rw file
414.Pp
415Remove the group mail POSIX.1e ACL entry containing read/write permissions
416from
417.Pa file .
418.Pp
419.Dl setfacl -x0 file
420.Pp
421Remove the first entry from the NFSv4 ACL from
422.Pa file .
423.Pp
424.Dl setfacl -bn file
425.Pp
426Remove all
427.Dq Li access
428ACL entries except for the three required from
429.Pa file .
430.Pp
431.Dl getfacl file1 | setfacl -b -n -M - file2
432.Pp
433Copy ACL entries from
434.Pa file1
435to
436.Pa file2 .
437.Sh SEE ALSO
438.Xr getfacl 1 ,
439.Xr acl 3 ,
440.Xr getextattr 8 ,
441.Xr setextattr 8 ,
442.Xr acl 9 ,
443.Xr extattr 9
444.Sh STANDARDS
445The
446.Nm
447utility is expected to be
448.Tn IEEE
449Std 1003.2c compliant.
450.Sh HISTORY
451Extended Attribute and Access Control List support was developed
452as part of the
453.Tn TrustedBSD
454Project and introduced in
455.Fx 5.0 .
456NFSv4 ACL support was introduced in
457.Fx 8.1 .
458.Sh AUTHORS
459.An -nosplit
460The
461.Nm
462utility was written by
463.An Chris D. Faulhaber Aq jedgar@fxp.org .
464NFSv4 ACL support was implemented by
465.An Edward Tomasz Napierala Aq trasz@FreeBSD.org .
466