xref: /freebsd/bin/setfacl/setfacl.1 (revision 643ac419fafba89f5adda0e0ea75b538727453fb)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd October 26, 2018
30.Dt SETFACL 1
31.Os
32.Sh NAME
33.Nm setfacl
34.Nd set ACL information
35.Sh SYNOPSIS
36.Nm
37.Op Fl R Op Fl H | L | P
38.Op Fl bdhkn
39.Op Fl a Ar position entries
40.Op Fl m Ar entries
41.Op Fl M Ar file
42.Op Fl x Ar entries | position
43.Op Fl X Ar file
44.Op Ar
45.Sh DESCRIPTION
46The
47.Nm
48utility sets discretionary access control information on
49the specified file(s).
50If no files are specified, or the list consists of the only
51.Sq Fl ,
52the file names are taken from the standard input.
53.Pp
54The following options are available:
55.Bl -tag -width indent
56.It Fl a Ar position entries
57Modify the ACL on the specified files by inserting new
58ACL entries
59specified in
60.Ar entries ,
61starting at position
62.Ar position ,
63counting from zero.
64This option is only applicable to NFSv4 ACLs.
65.It Fl b
66Remove all ACL entries except for the ones synthesized
67from the file mode - the three mandatory entries in case
68of POSIX.1e ACL.
69If the POSIX.1e ACL contains a
70.Dq Li mask
71entry, the permissions of the
72.Dq Li group
73entry in the resulting ACL will be set to the permission
74associated with both the
75.Dq Li group
76and
77.Dq Li mask
78entries of the current ACL.
79.It Fl d
80The operations apply to the default ACL entries instead of
81access ACL entries.
82Currently only directories may have
83default ACL's.
84This option is not applicable to NFSv4 ACLs.
85.It Fl h
86If the target of the operation is a symbolic link, perform the operation
87on the symbolic link itself, rather than following the link.
88.It Fl H
89If the
90.Fl R
91option is specified, symbolic links on the command line are followed
92and hence unaffected by the command.
93(Symbolic links encountered during tree traversal are not followed.)
94.It Fl k
95Delete any default ACL entries on the specified files.
96It
97is not considered an error if the specified files do not have
98any default ACL entries.
99An error will be reported if any of
100the specified files cannot have a default entry (i.e.,
101non-directories).
102This option is not applicable to NFSv4 ACLs.
103.It Fl L
104If the
105.Fl R
106option is specified, all symbolic links are followed.
107.It Fl m Ar entries
108Modify the ACL on the specified file.
109New entries will be added, and existing entries will be modified
110according to the
111.Ar entries
112argument.
113For NFSv4 ACLs, it is recommended to use the
114.Fl a
115and
116.Fl x
117options instead.
118.It Fl M Ar file
119Modify the ACL entries on the specified files by adding new
120ACL entries and modifying existing ACL entries with the ACL
121entries specified in the file
122.Ar file .
123If
124.Ar file
125is
126.Fl ,
127the input is taken from stdin.
128.It Fl n
129Do not recalculate the permissions associated with the ACL
130mask entry.
131This option is not applicable to NFSv4 ACLs.
132.It Fl P
133If the
134.Fl R
135option is specified, no symbolic links are followed.
136This is the default.
137.It Fl R
138Perform the action recursively on any specified directories.
139When modifying or adding NFSv4 ACL entries, inheritance flags
140are applied only to directories.
141.It Fl x Ar entries | position
142If
143.Ar entries
144is specified, remove the ACL entries specified there
145from the access or default ACL of the specified files.
146Otherwise, remove entry at index
147.Ar position ,
148counting from zero.
149.It Fl X Ar file
150Remove the ACL entries specified in the file
151.Ar file
152from the access or default ACL of the specified files.
153.El
154.Pp
155The above options are evaluated in the order specified
156on the command-line.
157.Sh POSIX.1e ACL ENTRIES
158A POSIX.1E ACL entry contains three colon-separated fields:
159an ACL tag, an ACL qualifier, and discretionary access
160permissions:
161.Bl -tag -width indent
162.It Ar "ACL tag"
163The ACL tag specifies the ACL entry type and consists of
164one of the following:
165.Dq Li user
166or
167.Ql u
168specifying the access
169granted to the owner of the file or a specified user;
170.Dq Li group
171or
172.Ql g
173specifying the access granted to the file owning group
174or a specified group;
175.Dq Li other
176or
177.Ql o
178specifying the access
179granted to any process that does not match any user or group
180ACL entry;
181.Dq Li mask
182or
183.Ql m
184specifying the maximum access
185granted to any ACL entry except the
186.Dq Li user
187ACL entry for the file owner and the
188.Dq Li other
189ACL entry.
190.It Ar "ACL qualifier"
191The ACL qualifier field describes the user or group associated with
192the ACL entry.
193It may consist of one of the following: uid or
194user name, gid or group name, or empty.
195For
196.Dq Li user
197ACL entries, an empty field specifies access granted to the
198file owner.
199For
200.Dq Li group
201ACL entries, an empty field specifies access granted to the
202file owning group.
203.Dq Li mask
204and
205.Dq Li other
206ACL entries do not use this field.
207.It Ar "access permissions"
208The access permissions field contains up to one of each of
209the following:
210.Ql r ,
211.Ql w ,
212and
213.Ql x
214to set read, write, and
215execute permissions, respectively.
216Each of these may be excluded
217or replaced with a
218.Ql -
219character to indicate no access.
220.El
221.Pp
222A
223.Dq Li mask
224ACL entry is required on a file with any ACL entries other than
225the default
226.Dq Li user ,
227.Dq Li group ,
228and
229.Dq Li other
230ACL entries.
231If the
232.Fl n
233option is not specified and no
234.Dq Li mask
235ACL entry was specified, the
236.Nm
237utility
238will apply a
239.Dq Li mask
240ACL entry consisting of the union of the permissions associated
241with all
242.Dq Li group
243ACL entries in the resulting ACL.
244.Pp
245Traditional POSIX interfaces acting on file system object modes have
246modified semantics in the presence of POSIX.1e extended ACLs.
247When a mask entry is present on the access ACL of an object, the mask
248entry is substituted for the group bits; this occurs in programs such
249as
250.Xr stat 1
251or
252.Xr ls 1 .
253When the mode is modified on an object that has a mask entry, the
254changes applied to the group bits will actually be applied to the
255mask entry.
256These semantics provide for greater application compatibility:
257applications modifying the mode instead of the ACL will see
258conservative behavior, limiting the effective rights granted by all
259of the additional user and group entries; this occurs in programs
260such as
261.Xr chmod 1 .
262.Pp
263ACL entries applied from a file using the
264.Fl M
265or
266.Fl X
267options shall be of the following form: one ACL entry per line, as
268previously specified; whitespace is ignored; any text after a
269.Ql #
270is ignored (comments).
271.Pp
272When POSIX.1e ACL entries are evaluated, the access check algorithm checks
273the ACL entries in the following order: file owner,
274.Dq Li user
275ACL entries, file owning group,
276.Dq Li group
277ACL entries, and
278.Dq Li other
279ACL entry.
280.Pp
281Multiple ACL entries specified on the command line are
282separated by commas.
283.Pp
284It is possible for files and directories to inherit ACL entries from their
285parent directory.
286This is accomplished through the use of the default ACL.
287It should be noted that before you can specify a default ACL, the mandatory
288ACL entries for user, group, other and mask must be set.
289For more details see the examples below.
290Default ACLs can be created by using
291.Fl d .
292.Sh NFSv4 ACL ENTRIES
293An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
294an ACL qualifier (only for
295.Dq Li user
296and
297.Dq Li group
298tags), discretionary access permissions, ACL inheritance flags, and ACL type:
299.Bl -tag -width indent
300.It Ar "ACL tag"
301The ACL tag specifies the ACL entry type and consists of
302one of the following:
303.Dq Li user
304or
305.Ql u
306specifying the access
307granted to the specified user;
308.Dq Li group
309or
310.Ql g
311specifying the access granted to the specified group;
312.Dq Li owner@
313specifying the access granted to the owner of the file;
314.Dq Li group@
315specifying the access granted to the file owning group;
316.Dq Li everyone@
317specifying everyone.
318Note that
319.Dq Li everyone@
320is not the same as traditional Unix
321.Dq Li other
322- it means,
323literally, everyone, including file owner and owning group.
324.It Ar "ACL qualifier"
325The ACL qualifier field describes the user or group associated with
326the ACL entry.
327It may consist of one of the following: uid or
328user name, or gid or group name.
329In entries whose tag type is one of
330.Dq Li owner@ ,
331.Dq Li group@ ,
332or
333.Dq Li everyone@ ,
334this field is omitted altogether, including the trailing comma.
335.It Ar "access permissions"
336Access permissions may be specified in either short or long form.
337Short and long forms may not be mixed.
338Permissions in long form are separated by the
339.Ql /
340character; in short form, they are concatenated together.
341Valid permissions are:
342.Bl -tag -width ".Dv modify_set"
343.It Short
344Long
345.It r
346read_data
347.It w
348write_data
349.It x
350execute
351.It p
352append_data
353.It D
354delete_child
355.It d
356delete
357.It a
358read_attributes
359.It A
360write_attributes
361.It R
362read_xattr
363.It W
364write_xattr
365.It c
366read_acl
367.It C
368write_acl
369.It o
370write_owner
371.It s
372synchronize
373.El
374.Pp
375In addition, the following permission sets may be used:
376.Bl -tag -width ".Dv modify_set"
377.It Set
378Permissions
379.It full_set
380all permissions, as shown above
381.It modify_set
382all permissions except write_acl and write_owner
383.It read_set
384read_data, read_attributes, read_xattr and read_acl
385.It write_set
386write_data, append_data, write_attributes and write_xattr
387.El
388.It Ar "ACL inheritance flags"
389Inheritance flags may be specified in either short or long form.
390Short and long forms may not be mixed.
391Access flags in long form are separated by the
392.Ql /
393character; in short form, they are concatenated together.
394Valid inheritance flags are:
395.Bl -tag -width ".Dv short"
396.It Short
397Long
398.It f
399file_inherit
400.It d
401dir_inherit
402.It i
403inherit_only
404.It n
405no_propagate
406.It I
407inherited
408.El
409.Pp
410Other than the "inherited" flag, inheritance flags may be only set on directories.
411.It Ar "ACL type"
412The ACL type field is either
413.Dq Li allow
414or
415.Dq Li deny .
416.El
417.Pp
418ACL entries applied from a file using the
419.Fl M
420or
421.Fl X
422options shall be of the following form: one ACL entry per line, as
423previously specified; whitespace is ignored; any text after a
424.Ql #
425is ignored (comments).
426.Pp
427NFSv4 ACL entries are evaluated in their visible order.
428.Pp
429Multiple ACL entries specified on the command line are
430separated by commas.
431.Pp
432Note that the file owner is always granted the read_acl, write_acl,
433read_attributes, and write_attributes permissions, even if the ACL
434would deny it.
435.Sh EXIT STATUS
436.Ex -std
437.Sh EXAMPLES
438.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
439.Dl setfacl -d -m g:admins:rwx dir
440.Pp
441The first command sets the mandatory elements of the POSIX.1e default ACL.
442The second command specifies that users in group admins can have read, write, and execute
443permissions for directory named "dir".
444It should be noted that any files or directories created underneath "dir" will
445inherit these default ACLs upon creation.
446.Pp
447.Dl setfacl -m u::rwx,g:mail:rw file
448.Pp
449Sets read, write, and execute permissions for the
450.Pa file
451owner's POSIX.1e ACL entry and read and write permissions for group mail on
452.Pa file .
453.Pp
454.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
455.Pp
456Semantically equal to the example above, but for NFSv4 ACL.
457.Pp
458.Dl setfacl -M file1 file2
459.Pp
460Sets/updates the ACL entries contained in
461.Pa file1
462on
463.Pa file2 .
464.Pp
465.Dl setfacl -x g:mail:rw file
466.Pp
467Remove the group mail POSIX.1e ACL entry containing read/write permissions
468from
469.Pa file .
470.Pp
471.Dl setfacl -x0 file
472.Pp
473Remove the first entry from the NFSv4 ACL from
474.Pa file .
475.Pp
476.Dl setfacl -bn file
477.Pp
478Remove all
479.Dq Li access
480ACL entries except for the three required from
481.Pa file .
482.Pp
483.Dl getfacl file1 | setfacl -b -n -M - file2
484.Pp
485Copy ACL entries from
486.Pa file1
487to
488.Pa file2 .
489.Sh SEE ALSO
490.Xr getfacl 1 ,
491.Xr acl 3 ,
492.Xr getextattr 8 ,
493.Xr setextattr 8 ,
494.Xr acl 9 ,
495.Xr extattr 9
496.Sh STANDARDS
497The
498.Nm
499utility is expected to be
500.Tn IEEE
501Std 1003.2c compliant.
502.Sh HISTORY
503Extended Attribute and Access Control List support was developed
504as part of the
505.Tn TrustedBSD
506Project and introduced in
507.Fx 5.0 .
508NFSv4 ACL support was introduced in
509.Fx 8.1 .
510.Sh AUTHORS
511.An -nosplit
512The
513.Nm
514utility was written by
515.An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
516NFSv4 ACL support was implemented by
517.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .
518