xref: /freebsd/bin/setfacl/setfacl.1 (revision 595e514d0df2bac5b813d35f83e32875dbf16a83)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd April 1, 2013
30.Dt SETFACL 1
31.Os
32.Sh NAME
33.Nm setfacl
34.Nd set ACL information
35.Sh SYNOPSIS
36.Nm
37.Op Fl bdhkn
38.Op Fl a Ar position entries
39.Op Fl m Ar entries
40.Op Fl M Ar file
41.Op Fl x Ar entries | position
42.Op Fl X Ar file
43.Op Ar
44.Sh DESCRIPTION
45The
46.Nm
47utility sets discretionary access control information on
48the specified file(s).
49If no files are specified, or the list consists of the only
50.Sq Fl ,
51the file names are taken from the standard input.
52.Pp
53The following options are available:
54.Bl -tag -width indent
55.It Fl a Ar position entries
56Modify the ACL on the specified files by inserting new
57ACL entries
58specified in
59.Ar entries ,
60starting at position
61.Ar position ,
62counting from zero.
63This option is only applicable to NFSv4 ACLs.
64.It Fl b
65Remove all ACL entries except for the three required entries
66(POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).
67If the POSIX.1e ACL contains a
68.Dq Li mask
69entry, the permissions of the
70.Dq Li group
71entry in the resulting ACL will be set to the permission
72associated with both the
73.Dq Li group
74and
75.Dq Li mask
76entries of the current ACL.
77.It Fl d
78The operations apply to the default ACL entries instead of
79access ACL entries.
80Currently only directories may have
81default ACL's.  This option is not applicable to NFSv4 ACLs.
82.It Fl h
83If the target of the operation is a symbolic link, perform the operation
84on the symbolic link itself, rather than following the link.
85.It Fl k
86Delete any default ACL entries on the specified files.
87It
88is not considered an error if the specified files do not have
89any default ACL entries.
90An error will be reported if any of
91the specified files cannot have a default entry (i.e.\&
92non-directories).  This option is not applicable to NFSv4 ACLs.
93.It Fl m Ar entries
94Modify the ACL on the specified file.
95New entries will be added, and existing entries will be modified
96according to the
97.Ar entries
98argument.
99For NFSv4 ACLs, it is recommended to use the
100.Fl a
101and
102.Fl x
103options instead.
104.It Fl M Ar file
105Modify the ACL entries on the specified files by adding new
106ACL entries and modifying existing ACL entries with the ACL
107entries specified in the file
108.Ar file .
109If
110.Ar file
111is
112.Fl ,
113the input is taken from stdin.
114.It Fl n
115Do not recalculate the permissions associated with the ACL
116mask entry.  This option is not applicable to NFSv4 ACLs.
117.It Fl x Ar entries | position
118If
119.Ar entries
120is specified, remove the ACL entries specified there
121from the access or default ACL of the specified files.
122Otherwise, remove entry at index
123.Ar position ,
124counting from zero.
125.It Fl X Ar file
126Remove the ACL entries specified in the file
127.Ar file
128from the access or default ACL of the specified files.
129.El
130.Pp
131The above options are evaluated in the order specified
132on the command-line.
133.Sh POSIX.1e ACL ENTRIES
134A POSIX.1E ACL entry contains three colon-separated fields:
135an ACL tag, an ACL qualifier, and discretionary access
136permissions:
137.Bl -tag -width indent
138.It Ar "ACL tag"
139The ACL tag specifies the ACL entry type and consists of
140one of the following:
141.Dq Li user
142or
143.Ql u
144specifying the access
145granted to the owner of the file or a specified user;
146.Dq Li group
147or
148.Ql g
149specifying the access granted to the file owning group
150or a specified group;
151.Dq Li other
152or
153.Ql o
154specifying the access
155granted to any process that does not match any user or group
156ACL entry;
157.Dq Li mask
158or
159.Ql m
160specifying the maximum access
161granted to any ACL entry except the
162.Dq Li user
163ACL entry for the file owner and the
164.Dq Li other
165ACL entry.
166.It Ar "ACL qualifier"
167The ACL qualifier field describes the user or group associated with
168the ACL entry.
169It may consist of one of the following: uid or
170user name, gid or group name, or empty.
171For
172.Dq Li user
173ACL entries, an empty field specifies access granted to the
174file owner.
175For
176.Dq Li group
177ACL entries, an empty field specifies access granted to the
178file owning group.
179.Dq Li mask
180and
181.Dq Li other
182ACL entries do not use this field.
183.It Ar "access permissions"
184The access permissions field contains up to one of each of
185the following:
186.Ql r ,
187.Ql w ,
188and
189.Ql x
190to set read, write, and
191execute permissions, respectively.
192Each of these may be excluded
193or replaced with a
194.Ql -
195character to indicate no access.
196.El
197.Pp
198A
199.Dq Li mask
200ACL entry is required on a file with any ACL entries other than
201the default
202.Dq Li user ,
203.Dq Li group ,
204and
205.Dq Li other
206ACL entries.
207If the
208.Fl n
209option is not specified and no
210.Dq Li mask
211ACL entry was specified, the
212.Nm
213utility
214will apply a
215.Dq Li mask
216ACL entry consisting of the union of the permissions associated
217with all
218.Dq Li group
219ACL entries in the resulting ACL.
220.Pp
221Traditional POSIX interfaces acting on file system object modes have
222modified semantics in the presence of POSIX.1e extended ACLs.
223When a mask entry is present on the access ACL of an object, the mask
224entry is substituted for the group bits; this occurs in programs such
225as
226.Xr stat 1
227or
228.Xr ls 1 .
229When the mode is modified on an object that has a mask entry, the
230changes applied to the group bits will actually be applied to the
231mask entry.
232These semantics provide for greater application compatibility:
233applications modifying the mode instead of the ACL will see
234conservative behavior, limiting the effective rights granted by all
235of the additional user and group entries; this occurs in programs
236such as
237.Xr chmod 1 .
238.Pp
239ACL entries applied from a file using the
240.Fl M
241or
242.Fl X
243options shall be of the following form: one ACL entry per line, as
244previously specified; whitespace is ignored; any text after a
245.Ql #
246is ignored (comments).
247.Pp
248When POSIX.1e ACL entries are evaluated, the access check algorithm checks
249the ACL entries in the following order: file owner,
250.Dq Li user
251ACL entries, file owning group,
252.Dq Li group
253ACL entries, and
254.Dq Li other
255ACL entry.
256.Pp
257Multiple ACL entries specified on the command line are
258separated by commas.
259.Pp
260It is possible for files and directories to inherit ACL entries from their
261parent directory.
262This is accomplished through the use of the default ACL.
263It should be noted that before you can specify a default ACL, the mandatory
264ACL entries for user, group, other and mask must be set.
265For more details see the examples below.
266Default ACLs can be created by using
267.Fl d .
268.Sh NFSv4 ACL ENTRIES
269An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
270an ACL qualifier (only for
271.Dq Li user
272and
273.Dq Li group
274tags), discretionary access permissions, ACL inheritance flags, and ACL type:
275.Bl -tag -width indent
276.It Ar "ACL tag"
277The ACL tag specifies the ACL entry type and consists of
278one of the following:
279.Dq Li user
280or
281.Ql u
282specifying the access
283granted to the specified user;
284.Dq Li group
285or
286.Ql g
287specifying the access granted to the specified group;
288.Dq Li owner@
289specifying the access granted to the owner of the file;
290.Dq Li group@
291specifying the access granted to the file owning group;
292.Dq Li everyone@
293specifying everyone.  Note that
294.Dq Li everyone@
295is not the same as traditional Unix
296.Dq Li other
297- it means,
298literally, everyone, including file owner and owning group.
299.It Ar "ACL qualifier"
300The ACL qualifier field describes the user or group associated with
301the ACL entry.
302It may consist of one of the following: uid or
303user name, or gid or group name.  In entries whose tag type is
304one of
305.Dq Li owner@ ,
306.Dq Li group@ ,
307or
308.Dq Li everyone@ ,
309this field is omitted altogether, including the trailing comma.
310.It Ar "access permissions"
311Access permissions may be specified in either short or long form.
312Short and long forms may not be mixed.
313Permissions in long form are separated by the
314.Ql /
315character; in short form, they are concatenated together.
316Valid permissions are:
317.Bl -tag -width ".Dv modify_set"
318.It Short
319Long
320.It r
321read_data
322.It w
323write_data
324.It x
325execute
326.It p
327append_data
328.It D
329delete_child
330.It d
331delete
332.It a
333read_attributes
334.It A
335write_attributes
336.It R
337read_xattr
338.It W
339write_xattr
340.It c
341read_acl
342.It C
343write_acl
344.It o
345write_owner
346.It s
347synchronize
348.El
349.Pp
350In addition, the following permission sets may be used:
351.Bl -tag -width ".Dv modify_set"
352.It Set
353Permissions
354.It full_set
355all permissions, as shown above
356.It modify_set
357all permissions except write_acl and write_owner
358.It read_set
359read_data, read_attributes, read_xattr and read_acl
360.It write_set
361write_data, append_data, write_attributes and write_xattr
362.El
363.It Ar "ACL inheritance flags"
364Inheritance flags may be specified in either short or long form.
365Short and long forms may not be mixed.
366Access flags in long form are separated by the
367.Ql /
368character; in short form, they are concatenated together.
369Valid inheritance flags are:
370.Bl -tag -width ".Dv short"
371.It Short
372Long
373.It f
374file_inherit
375.It d
376dir_inherit
377.It i
378inherit_only
379.It n
380no_propagate
381.El
382.Pp
383Inheritance flags may be only set on directories.
384.It Ar "ACL type"
385The ACL type field is either
386.Dq Li allow
387or
388.Dq Li deny .
389.El
390.Pp
391ACL entries applied from a file using the
392.Fl M
393or
394.Fl X
395options shall be of the following form: one ACL entry per line, as
396previously specified; whitespace is ignored; any text after a
397.Ql #
398is ignored (comments).
399.Pp
400NFSv4 ACL entries are evaluated in their visible order.
401.Pp
402Multiple ACL entries specified on the command line are
403separated by commas.
404.Pp
405Note that the file owner is always granted the read_acl, write_acl,
406read_attributes, and write_attributes permissions, even if the ACL
407would deny it.
408.Sh EXIT STATUS
409.Ex -std
410.Sh EXAMPLES
411.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
412.Dl setfacl -d -m g:admins:rwx dir
413.Pp
414The first command sets the mandatory elements of the POSIX.1e default ACL.
415The second command specifies that users in group admins can have read, write, and execute
416permissions for directory named "dir".
417It should be noted that any files or directories created underneath "dir" will
418inherit these default ACLs upon creation.
419.Pp
420.Dl setfacl -m u::rwx,g:mail:rw file
421.Pp
422Sets read, write, and execute permissions for the
423.Pa file
424owner's POSIX.1e ACL entry and read and write permissions for group mail on
425.Pa file .
426.Pp
427.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
428.Pp
429Semantically equal to the example above, but for NFSv4 ACL.
430.Pp
431.Dl setfacl -M file1 file2
432.Pp
433Sets/updates the ACL entries contained in
434.Pa file1
435on
436.Pa file2 .
437.Pp
438.Dl setfacl -x g:mail:rw file
439.Pp
440Remove the group mail POSIX.1e ACL entry containing read/write permissions
441from
442.Pa file .
443.Pp
444.Dl setfacl -x0 file
445.Pp
446Remove the first entry from the NFSv4 ACL from
447.Pa file .
448.Pp
449.Dl setfacl -bn file
450.Pp
451Remove all
452.Dq Li access
453ACL entries except for the three required from
454.Pa file .
455.Pp
456.Dl getfacl file1 | setfacl -b -n -M - file2
457.Pp
458Copy ACL entries from
459.Pa file1
460to
461.Pa file2 .
462.Sh SEE ALSO
463.Xr getfacl 1 ,
464.Xr acl 3 ,
465.Xr getextattr 8 ,
466.Xr setextattr 8 ,
467.Xr acl 9 ,
468.Xr extattr 9
469.Sh STANDARDS
470The
471.Nm
472utility is expected to be
473.Tn IEEE
474Std 1003.2c compliant.
475.Sh HISTORY
476Extended Attribute and Access Control List support was developed
477as part of the
478.Tn TrustedBSD
479Project and introduced in
480.Fx 5.0 .
481NFSv4 ACL support was introduced in
482.Fx 8.1 .
483.Sh AUTHORS
484.An -nosplit
485The
486.Nm
487utility was written by
488.An Chris D. Faulhaber Aq jedgar@fxp.org .
489NFSv4 ACL support was implemented by
490.An Edward Tomasz Napierala Aq trasz@FreeBSD.org .
491