xref: /freebsd/bin/setfacl/setfacl.1 (revision 640235e2c2ba32947f7c59d168437ffa1280f1e6)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd January 23, 2016
30.Dt SETFACL 1
31.Os
32.Sh NAME
33.Nm setfacl
34.Nd set ACL information
35.Sh SYNOPSIS
36.Nm
37.Op Fl bdhkn
38.Op Fl a Ar position entries
39.Op Fl m Ar entries
40.Op Fl M Ar file
41.Op Fl x Ar entries | position
42.Op Fl X Ar file
43.Op Ar
44.Sh DESCRIPTION
45The
46.Nm
47utility sets discretionary access control information on
48the specified file(s).
49If no files are specified, or the list consists of the only
50.Sq Fl ,
51the file names are taken from the standard input.
52.Pp
53The following options are available:
54.Bl -tag -width indent
55.It Fl a Ar position entries
56Modify the ACL on the specified files by inserting new
57ACL entries
58specified in
59.Ar entries ,
60starting at position
61.Ar position ,
62counting from zero.
63This option is only applicable to NFSv4 ACLs.
64.It Fl b
65Remove all ACL entries except for the ones synthesized
66from the file mode - the three mandatory entries in case
67of POSIX.1e ACL.
68If the POSIX.1e ACL contains a
69.Dq Li mask
70entry, the permissions of the
71.Dq Li group
72entry in the resulting ACL will be set to the permission
73associated with both the
74.Dq Li group
75and
76.Dq Li mask
77entries of the current ACL.
78.It Fl d
79The operations apply to the default ACL entries instead of
80access ACL entries.
81Currently only directories may have
82default ACL's.  This option is not applicable to NFSv4 ACLs.
83.It Fl h
84If the target of the operation is a symbolic link, perform the operation
85on the symbolic link itself, rather than following the link.
86.It Fl k
87Delete any default ACL entries on the specified files.
88It
89is not considered an error if the specified files do not have
90any default ACL entries.
91An error will be reported if any of
92the specified files cannot have a default entry (i.e.\&
93non-directories).  This option is not applicable to NFSv4 ACLs.
94.It Fl m Ar entries
95Modify the ACL on the specified file.
96New entries will be added, and existing entries will be modified
97according to the
98.Ar entries
99argument.
100For NFSv4 ACLs, it is recommended to use the
101.Fl a
102and
103.Fl x
104options instead.
105.It Fl M Ar file
106Modify the ACL entries on the specified files by adding new
107ACL entries and modifying existing ACL entries with the ACL
108entries specified in the file
109.Ar file .
110If
111.Ar file
112is
113.Fl ,
114the input is taken from stdin.
115.It Fl n
116Do not recalculate the permissions associated with the ACL
117mask entry.  This option is not applicable to NFSv4 ACLs.
118.It Fl x Ar entries | position
119If
120.Ar entries
121is specified, remove the ACL entries specified there
122from the access or default ACL of the specified files.
123Otherwise, remove entry at index
124.Ar position ,
125counting from zero.
126.It Fl X Ar file
127Remove the ACL entries specified in the file
128.Ar file
129from the access or default ACL of the specified files.
130.El
131.Pp
132The above options are evaluated in the order specified
133on the command-line.
134.Sh POSIX.1e ACL ENTRIES
135A POSIX.1E ACL entry contains three colon-separated fields:
136an ACL tag, an ACL qualifier, and discretionary access
137permissions:
138.Bl -tag -width indent
139.It Ar "ACL tag"
140The ACL tag specifies the ACL entry type and consists of
141one of the following:
142.Dq Li user
143or
144.Ql u
145specifying the access
146granted to the owner of the file or a specified user;
147.Dq Li group
148or
149.Ql g
150specifying the access granted to the file owning group
151or a specified group;
152.Dq Li other
153or
154.Ql o
155specifying the access
156granted to any process that does not match any user or group
157ACL entry;
158.Dq Li mask
159or
160.Ql m
161specifying the maximum access
162granted to any ACL entry except the
163.Dq Li user
164ACL entry for the file owner and the
165.Dq Li other
166ACL entry.
167.It Ar "ACL qualifier"
168The ACL qualifier field describes the user or group associated with
169the ACL entry.
170It may consist of one of the following: uid or
171user name, gid or group name, or empty.
172For
173.Dq Li user
174ACL entries, an empty field specifies access granted to the
175file owner.
176For
177.Dq Li group
178ACL entries, an empty field specifies access granted to the
179file owning group.
180.Dq Li mask
181and
182.Dq Li other
183ACL entries do not use this field.
184.It Ar "access permissions"
185The access permissions field contains up to one of each of
186the following:
187.Ql r ,
188.Ql w ,
189and
190.Ql x
191to set read, write, and
192execute permissions, respectively.
193Each of these may be excluded
194or replaced with a
195.Ql -
196character to indicate no access.
197.El
198.Pp
199A
200.Dq Li mask
201ACL entry is required on a file with any ACL entries other than
202the default
203.Dq Li user ,
204.Dq Li group ,
205and
206.Dq Li other
207ACL entries.
208If the
209.Fl n
210option is not specified and no
211.Dq Li mask
212ACL entry was specified, the
213.Nm
214utility
215will apply a
216.Dq Li mask
217ACL entry consisting of the union of the permissions associated
218with all
219.Dq Li group
220ACL entries in the resulting ACL.
221.Pp
222Traditional POSIX interfaces acting on file system object modes have
223modified semantics in the presence of POSIX.1e extended ACLs.
224When a mask entry is present on the access ACL of an object, the mask
225entry is substituted for the group bits; this occurs in programs such
226as
227.Xr stat 1
228or
229.Xr ls 1 .
230When the mode is modified on an object that has a mask entry, the
231changes applied to the group bits will actually be applied to the
232mask entry.
233These semantics provide for greater application compatibility:
234applications modifying the mode instead of the ACL will see
235conservative behavior, limiting the effective rights granted by all
236of the additional user and group entries; this occurs in programs
237such as
238.Xr chmod 1 .
239.Pp
240ACL entries applied from a file using the
241.Fl M
242or
243.Fl X
244options shall be of the following form: one ACL entry per line, as
245previously specified; whitespace is ignored; any text after a
246.Ql #
247is ignored (comments).
248.Pp
249When POSIX.1e ACL entries are evaluated, the access check algorithm checks
250the ACL entries in the following order: file owner,
251.Dq Li user
252ACL entries, file owning group,
253.Dq Li group
254ACL entries, and
255.Dq Li other
256ACL entry.
257.Pp
258Multiple ACL entries specified on the command line are
259separated by commas.
260.Pp
261It is possible for files and directories to inherit ACL entries from their
262parent directory.
263This is accomplished through the use of the default ACL.
264It should be noted that before you can specify a default ACL, the mandatory
265ACL entries for user, group, other and mask must be set.
266For more details see the examples below.
267Default ACLs can be created by using
268.Fl d .
269.Sh NFSv4 ACL ENTRIES
270An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
271an ACL qualifier (only for
272.Dq Li user
273and
274.Dq Li group
275tags), discretionary access permissions, ACL inheritance flags, and ACL type:
276.Bl -tag -width indent
277.It Ar "ACL tag"
278The ACL tag specifies the ACL entry type and consists of
279one of the following:
280.Dq Li user
281or
282.Ql u
283specifying the access
284granted to the specified user;
285.Dq Li group
286or
287.Ql g
288specifying the access granted to the specified group;
289.Dq Li owner@
290specifying the access granted to the owner of the file;
291.Dq Li group@
292specifying the access granted to the file owning group;
293.Dq Li everyone@
294specifying everyone.  Note that
295.Dq Li everyone@
296is not the same as traditional Unix
297.Dq Li other
298- it means,
299literally, everyone, including file owner and owning group.
300.It Ar "ACL qualifier"
301The ACL qualifier field describes the user or group associated with
302the ACL entry.
303It may consist of one of the following: uid or
304user name, or gid or group name.  In entries whose tag type is
305one of
306.Dq Li owner@ ,
307.Dq Li group@ ,
308or
309.Dq Li everyone@ ,
310this field is omitted altogether, including the trailing comma.
311.It Ar "access permissions"
312Access permissions may be specified in either short or long form.
313Short and long forms may not be mixed.
314Permissions in long form are separated by the
315.Ql /
316character; in short form, they are concatenated together.
317Valid permissions are:
318.Bl -tag -width ".Dv modify_set"
319.It Short
320Long
321.It r
322read_data
323.It w
324write_data
325.It x
326execute
327.It p
328append_data
329.It D
330delete_child
331.It d
332delete
333.It a
334read_attributes
335.It A
336write_attributes
337.It R
338read_xattr
339.It W
340write_xattr
341.It c
342read_acl
343.It C
344write_acl
345.It o
346write_owner
347.It s
348synchronize
349.El
350.Pp
351In addition, the following permission sets may be used:
352.Bl -tag -width ".Dv modify_set"
353.It Set
354Permissions
355.It full_set
356all permissions, as shown above
357.It modify_set
358all permissions except write_acl and write_owner
359.It read_set
360read_data, read_attributes, read_xattr and read_acl
361.It write_set
362write_data, append_data, write_attributes and write_xattr
363.El
364.It Ar "ACL inheritance flags"
365Inheritance flags may be specified in either short or long form.
366Short and long forms may not be mixed.
367Access flags in long form are separated by the
368.Ql /
369character; in short form, they are concatenated together.
370Valid inheritance flags are:
371.Bl -tag -width ".Dv short"
372.It Short
373Long
374.It f
375file_inherit
376.It d
377dir_inherit
378.It i
379inherit_only
380.It n
381no_propagate
382.It I
383inherited
384.El
385.Pp
386Other than the "inherited" flag, inheritance flags may be only set on directories.
387.It Ar "ACL type"
388The ACL type field is either
389.Dq Li allow
390or
391.Dq Li deny .
392.El
393.Pp
394ACL entries applied from a file using the
395.Fl M
396or
397.Fl X
398options shall be of the following form: one ACL entry per line, as
399previously specified; whitespace is ignored; any text after a
400.Ql #
401is ignored (comments).
402.Pp
403NFSv4 ACL entries are evaluated in their visible order.
404.Pp
405Multiple ACL entries specified on the command line are
406separated by commas.
407.Pp
408Note that the file owner is always granted the read_acl, write_acl,
409read_attributes, and write_attributes permissions, even if the ACL
410would deny it.
411.Sh EXIT STATUS
412.Ex -std
413.Sh EXAMPLES
414.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
415.Dl setfacl -d -m g:admins:rwx dir
416.Pp
417The first command sets the mandatory elements of the POSIX.1e default ACL.
418The second command specifies that users in group admins can have read, write, and execute
419permissions for directory named "dir".
420It should be noted that any files or directories created underneath "dir" will
421inherit these default ACLs upon creation.
422.Pp
423.Dl setfacl -m u::rwx,g:mail:rw file
424.Pp
425Sets read, write, and execute permissions for the
426.Pa file
427owner's POSIX.1e ACL entry and read and write permissions for group mail on
428.Pa file .
429.Pp
430.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
431.Pp
432Semantically equal to the example above, but for NFSv4 ACL.
433.Pp
434.Dl setfacl -M file1 file2
435.Pp
436Sets/updates the ACL entries contained in
437.Pa file1
438on
439.Pa file2 .
440.Pp
441.Dl setfacl -x g:mail:rw file
442.Pp
443Remove the group mail POSIX.1e ACL entry containing read/write permissions
444from
445.Pa file .
446.Pp
447.Dl setfacl -x0 file
448.Pp
449Remove the first entry from the NFSv4 ACL from
450.Pa file .
451.Pp
452.Dl setfacl -bn file
453.Pp
454Remove all
455.Dq Li access
456ACL entries except for the three required from
457.Pa file .
458.Pp
459.Dl getfacl file1 | setfacl -b -n -M - file2
460.Pp
461Copy ACL entries from
462.Pa file1
463to
464.Pa file2 .
465.Sh SEE ALSO
466.Xr getfacl 1 ,
467.Xr acl 3 ,
468.Xr getextattr 8 ,
469.Xr setextattr 8 ,
470.Xr acl 9 ,
471.Xr extattr 9
472.Sh STANDARDS
473The
474.Nm
475utility is expected to be
476.Tn IEEE
477Std 1003.2c compliant.
478.Sh HISTORY
479Extended Attribute and Access Control List support was developed
480as part of the
481.Tn TrustedBSD
482Project and introduced in
483.Fx 5.0 .
484NFSv4 ACL support was introduced in
485.Fx 8.1 .
486.Sh AUTHORS
487.An -nosplit
488The
489.Nm
490utility was written by
491.An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
492NFSv4 ACL support was implemented by
493.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .
494