xref: /freebsd/bin/setfacl/setfacl.1 (revision 52f72944b8f5abb2386eae924357dee8aea17d5b)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd January 23, 2016
30.Dt SETFACL 1
31.Os
32.Sh NAME
33.Nm setfacl
34.Nd set ACL information
35.Sh SYNOPSIS
36.Nm
37.Op Fl bdhkn
38.Op Fl a Ar position entries
39.Op Fl m Ar entries
40.Op Fl M Ar file
41.Op Fl x Ar entries | position
42.Op Fl X Ar file
43.Op Ar
44.Sh DESCRIPTION
45The
46.Nm
47utility sets discretionary access control information on
48the specified file(s).
49If no files are specified, or the list consists of the only
50.Sq Fl ,
51the file names are taken from the standard input.
52.Pp
53The following options are available:
54.Bl -tag -width indent
55.It Fl a Ar position entries
56Modify the ACL on the specified files by inserting new
57ACL entries
58specified in
59.Ar entries ,
60starting at position
61.Ar position ,
62counting from zero.
63This option is only applicable to NFSv4 ACLs.
64.It Fl b
65Remove all ACL entries except for the ones synthesized
66from the file mode - the three mandatory entries in case
67of POSIX.1e ACL.
68If the POSIX.1e ACL contains a
69.Dq Li mask
70entry, the permissions of the
71.Dq Li group
72entry in the resulting ACL will be set to the permission
73associated with both the
74.Dq Li group
75and
76.Dq Li mask
77entries of the current ACL.
78.It Fl d
79The operations apply to the default ACL entries instead of
80access ACL entries.
81Currently only directories may have
82default ACL's.  This option is not applicable to NFSv4 ACLs.
83.It Fl h
84If the target of the operation is a symbolic link, perform the operation
85on the symbolic link itself, rather than following the link.
86.It Fl k
87Delete any default ACL entries on the specified files.
88It
89is not considered an error if the specified files do not have
90any default ACL entries.
91An error will be reported if any of
92the specified files cannot have a default entry (i.e.\&
93non-directories).  This option is not applicable to NFSv4 ACLs.
94.It Fl m Ar entries
95Modify the ACL on the specified file.
96New entries will be added, and existing entries will be modified
97according to the
98.Ar entries
99argument.
100For NFSv4 ACLs, it is recommended to use the
101.Fl a
102and
103.Fl x
104options instead.
105.It Fl M Ar file
106Modify the ACL entries on the specified files by adding new
107ACL entries and modifying existing ACL entries with the ACL
108entries specified in the file
109.Ar file .
110If
111.Ar file
112is
113.Fl ,
114the input is taken from stdin.
115.It Fl n
116Do not recalculate the permissions associated with the ACL
117mask entry.
118This option is not applicable to NFSv4 ACLs.
119.It Fl x Ar entries | position
120If
121.Ar entries
122is specified, remove the ACL entries specified there
123from the access or default ACL of the specified files.
124Otherwise, remove entry at index
125.Ar position ,
126counting from zero.
127.It Fl X Ar file
128Remove the ACL entries specified in the file
129.Ar file
130from the access or default ACL of the specified files.
131.El
132.Pp
133The above options are evaluated in the order specified
134on the command-line.
135.Sh POSIX.1e ACL ENTRIES
136A POSIX.1E ACL entry contains three colon-separated fields:
137an ACL tag, an ACL qualifier, and discretionary access
138permissions:
139.Bl -tag -width indent
140.It Ar "ACL tag"
141The ACL tag specifies the ACL entry type and consists of
142one of the following:
143.Dq Li user
144or
145.Ql u
146specifying the access
147granted to the owner of the file or a specified user;
148.Dq Li group
149or
150.Ql g
151specifying the access granted to the file owning group
152or a specified group;
153.Dq Li other
154or
155.Ql o
156specifying the access
157granted to any process that does not match any user or group
158ACL entry;
159.Dq Li mask
160or
161.Ql m
162specifying the maximum access
163granted to any ACL entry except the
164.Dq Li user
165ACL entry for the file owner and the
166.Dq Li other
167ACL entry.
168.It Ar "ACL qualifier"
169The ACL qualifier field describes the user or group associated with
170the ACL entry.
171It may consist of one of the following: uid or
172user name, gid or group name, or empty.
173For
174.Dq Li user
175ACL entries, an empty field specifies access granted to the
176file owner.
177For
178.Dq Li group
179ACL entries, an empty field specifies access granted to the
180file owning group.
181.Dq Li mask
182and
183.Dq Li other
184ACL entries do not use this field.
185.It Ar "access permissions"
186The access permissions field contains up to one of each of
187the following:
188.Ql r ,
189.Ql w ,
190and
191.Ql x
192to set read, write, and
193execute permissions, respectively.
194Each of these may be excluded
195or replaced with a
196.Ql -
197character to indicate no access.
198.El
199.Pp
200A
201.Dq Li mask
202ACL entry is required on a file with any ACL entries other than
203the default
204.Dq Li user ,
205.Dq Li group ,
206and
207.Dq Li other
208ACL entries.
209If the
210.Fl n
211option is not specified and no
212.Dq Li mask
213ACL entry was specified, the
214.Nm
215utility
216will apply a
217.Dq Li mask
218ACL entry consisting of the union of the permissions associated
219with all
220.Dq Li group
221ACL entries in the resulting ACL.
222.Pp
223Traditional POSIX interfaces acting on file system object modes have
224modified semantics in the presence of POSIX.1e extended ACLs.
225When a mask entry is present on the access ACL of an object, the mask
226entry is substituted for the group bits; this occurs in programs such
227as
228.Xr stat 1
229or
230.Xr ls 1 .
231When the mode is modified on an object that has a mask entry, the
232changes applied to the group bits will actually be applied to the
233mask entry.
234These semantics provide for greater application compatibility:
235applications modifying the mode instead of the ACL will see
236conservative behavior, limiting the effective rights granted by all
237of the additional user and group entries; this occurs in programs
238such as
239.Xr chmod 1 .
240.Pp
241ACL entries applied from a file using the
242.Fl M
243or
244.Fl X
245options shall be of the following form: one ACL entry per line, as
246previously specified; whitespace is ignored; any text after a
247.Ql #
248is ignored (comments).
249.Pp
250When POSIX.1e ACL entries are evaluated, the access check algorithm checks
251the ACL entries in the following order: file owner,
252.Dq Li user
253ACL entries, file owning group,
254.Dq Li group
255ACL entries, and
256.Dq Li other
257ACL entry.
258.Pp
259Multiple ACL entries specified on the command line are
260separated by commas.
261.Pp
262It is possible for files and directories to inherit ACL entries from their
263parent directory.
264This is accomplished through the use of the default ACL.
265It should be noted that before you can specify a default ACL, the mandatory
266ACL entries for user, group, other and mask must be set.
267For more details see the examples below.
268Default ACLs can be created by using
269.Fl d .
270.Sh NFSv4 ACL ENTRIES
271An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
272an ACL qualifier (only for
273.Dq Li user
274and
275.Dq Li group
276tags), discretionary access permissions, ACL inheritance flags, and ACL type:
277.Bl -tag -width indent
278.It Ar "ACL tag"
279The ACL tag specifies the ACL entry type and consists of
280one of the following:
281.Dq Li user
282or
283.Ql u
284specifying the access
285granted to the specified user;
286.Dq Li group
287or
288.Ql g
289specifying the access granted to the specified group;
290.Dq Li owner@
291specifying the access granted to the owner of the file;
292.Dq Li group@
293specifying the access granted to the file owning group;
294.Dq Li everyone@
295specifying everyone.
296Note that
297.Dq Li everyone@
298is not the same as traditional Unix
299.Dq Li other
300- it means,
301literally, everyone, including file owner and owning group.
302.It Ar "ACL qualifier"
303The ACL qualifier field describes the user or group associated with
304the ACL entry.
305It may consist of one of the following: uid or
306user name, or gid or group name.
307In entries whose tag type is one of
308.Dq Li owner@ ,
309.Dq Li group@ ,
310or
311.Dq Li everyone@ ,
312this field is omitted altogether, including the trailing comma.
313.It Ar "access permissions"
314Access permissions may be specified in either short or long form.
315Short and long forms may not be mixed.
316Permissions in long form are separated by the
317.Ql /
318character; in short form, they are concatenated together.
319Valid permissions are:
320.Bl -tag -width ".Dv modify_set"
321.It Short
322Long
323.It r
324read_data
325.It w
326write_data
327.It x
328execute
329.It p
330append_data
331.It D
332delete_child
333.It d
334delete
335.It a
336read_attributes
337.It A
338write_attributes
339.It R
340read_xattr
341.It W
342write_xattr
343.It c
344read_acl
345.It C
346write_acl
347.It o
348write_owner
349.It s
350synchronize
351.El
352.Pp
353In addition, the following permission sets may be used:
354.Bl -tag -width ".Dv modify_set"
355.It Set
356Permissions
357.It full_set
358all permissions, as shown above
359.It modify_set
360all permissions except write_acl and write_owner
361.It read_set
362read_data, read_attributes, read_xattr and read_acl
363.It write_set
364write_data, append_data, write_attributes and write_xattr
365.El
366.It Ar "ACL inheritance flags"
367Inheritance flags may be specified in either short or long form.
368Short and long forms may not be mixed.
369Access flags in long form are separated by the
370.Ql /
371character; in short form, they are concatenated together.
372Valid inheritance flags are:
373.Bl -tag -width ".Dv short"
374.It Short
375Long
376.It f
377file_inherit
378.It d
379dir_inherit
380.It i
381inherit_only
382.It n
383no_propagate
384.It I
385inherited
386.El
387.Pp
388Other than the "inherited" flag, inheritance flags may be only set on directories.
389.It Ar "ACL type"
390The ACL type field is either
391.Dq Li allow
392or
393.Dq Li deny .
394.El
395.Pp
396ACL entries applied from a file using the
397.Fl M
398or
399.Fl X
400options shall be of the following form: one ACL entry per line, as
401previously specified; whitespace is ignored; any text after a
402.Ql #
403is ignored (comments).
404.Pp
405NFSv4 ACL entries are evaluated in their visible order.
406.Pp
407Multiple ACL entries specified on the command line are
408separated by commas.
409.Pp
410Note that the file owner is always granted the read_acl, write_acl,
411read_attributes, and write_attributes permissions, even if the ACL
412would deny it.
413.Sh EXIT STATUS
414.Ex -std
415.Sh EXAMPLES
416.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
417.Dl setfacl -d -m g:admins:rwx dir
418.Pp
419The first command sets the mandatory elements of the POSIX.1e default ACL.
420The second command specifies that users in group admins can have read, write, and execute
421permissions for directory named "dir".
422It should be noted that any files or directories created underneath "dir" will
423inherit these default ACLs upon creation.
424.Pp
425.Dl setfacl -m u::rwx,g:mail:rw file
426.Pp
427Sets read, write, and execute permissions for the
428.Pa file
429owner's POSIX.1e ACL entry and read and write permissions for group mail on
430.Pa file .
431.Pp
432.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
433.Pp
434Semantically equal to the example above, but for NFSv4 ACL.
435.Pp
436.Dl setfacl -M file1 file2
437.Pp
438Sets/updates the ACL entries contained in
439.Pa file1
440on
441.Pa file2 .
442.Pp
443.Dl setfacl -x g:mail:rw file
444.Pp
445Remove the group mail POSIX.1e ACL entry containing read/write permissions
446from
447.Pa file .
448.Pp
449.Dl setfacl -x0 file
450.Pp
451Remove the first entry from the NFSv4 ACL from
452.Pa file .
453.Pp
454.Dl setfacl -bn file
455.Pp
456Remove all
457.Dq Li access
458ACL entries except for the three required from
459.Pa file .
460.Pp
461.Dl getfacl file1 | setfacl -b -n -M - file2
462.Pp
463Copy ACL entries from
464.Pa file1
465to
466.Pa file2 .
467.Sh SEE ALSO
468.Xr getfacl 1 ,
469.Xr acl 3 ,
470.Xr getextattr 8 ,
471.Xr setextattr 8 ,
472.Xr acl 9 ,
473.Xr extattr 9
474.Sh STANDARDS
475The
476.Nm
477utility is expected to be
478.Tn IEEE
479Std 1003.2c compliant.
480.Sh HISTORY
481Extended Attribute and Access Control List support was developed
482as part of the
483.Tn TrustedBSD
484Project and introduced in
485.Fx 5.0 .
486NFSv4 ACL support was introduced in
487.Fx 8.1 .
488.Sh AUTHORS
489.An -nosplit
490The
491.Nm
492utility was written by
493.An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
494NFSv4 ACL support was implemented by
495.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .
496