1.\" 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE 18.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd January 7, 2001 29.Dt SETFACL 1 30.Os 31.Sh NAME 32.Nm setfacl 33.Nd set ACL information 34.Sh SYNOPSIS 35.Nm 36.Op Fl bdhkn 37.Op Fl m Ar entries 38.Op Fl M Ar file1 39.Op Fl x Ar entries 40.Op Fl X Ar file1 41.Op Ar 42.Sh DESCRIPTION 43The 44.Nm 45utility sets discretionary access control information on 46the specified file(s). 47.Pp 48The following options are available: 49.Bl -tag -width indent 50.It Fl b 51Remove all ACL entries except for the three required entries. 52If the ACL contains a 53.Dq Li mask 54entry, the permissions of the 55.Dq Li group 56entry in the resulting ACL will be set to the permission 57associated with both the 58.Dq Li group 59and 60.Dq Li mask 61entries of the current ACL. 62.It Fl d 63The operations apply to the default ACL entries instead of 64access ACL entries. Currently only directories may have 65default ACL's. 66.It Fl h 67If the target of the operation is a symbolic link, perform the operation 68on the symbolic link itself, rather than following the link. 69.It Fl k 70Delete any default ACL entries on the specified files. It 71is not considered an error if the specified files do not have 72any default ACL entries. An error will be reported if any of 73the specified files cannot have a default entry (i.e.\& 74non-directories). 75.It Fl m Ar entries 76Modify the ACL entries on the specified files by adding new 77entries and modifying existing ACL entries with the ACL entries 78specified in 79.Ar entries . 80.It Fl M Ar file 81Modify the ACL entries on the specified files by adding new 82ACL entries and modifying existing ACL entries with the ACL 83entries specified in the file 84.Ar file . 85If 86.Ar file 87is 88.Fl , 89the input is taken from stdin. 90.It Fl n 91Do not recalculate the permissions associated with the ACL 92mask entry. 93.It Fl x Ar entries 94Remove the ACL entries specified in 95.Ar entries 96from the access or default ACL of the specified files. 97.It Fl X Ar file 98Remove the ACL entries specified in the file 99.Ar file 100from the access or default ACL of the specified files. 101.El 102.Pp 103The above options are evaluated in the order specified 104on the command-line. 105.Sh ACL ENTRIES 106An ACL entry contains three colon-separated fields: 107an ACL tag, an ACL qualifier, and discretionary access 108permissions: 109.Bl -tag -width indent 110.It Ar "ACL tag" 111The ACL tag specifies the ACL entry type and consists of 112one of the following: 113.Dq Li user 114or 115.Ql u 116specifying the access 117granted to the owner of the file or a specified user; 118.Dq Li group 119or 120.Ql g 121specifying the access granted to the file owning group 122or a specified group; 123.Dq Li other 124or 125.Ql o 126specifying the access 127granted to any process that does not match any user or group 128ACL entry; 129.Dq Li mask 130or 131.Ql m 132specifying the maximum access 133granted to any ACL entry except the 134.Dq Li user 135ACL entry for the file owner and the 136.Dq Li other 137ACL entry. 138.It Ar "ACL qualifier" 139The ACL qualifier field describes the user or group associated with 140the ACL entry. It may consist of one of the following: uid or 141user name, gid or group name, or empty. For 142.Dq Li user 143ACL entries, an empty field specifies access granted to the 144file owner. For 145.Dq Li group 146ACL entries, an empty field specifies access granted to the 147file owning group. 148.Dq Li mask 149and 150.Dq Li other 151ACL entries do not use this field. 152.It Ar "access permissions" 153The access permissions field contains up to one of each of 154the following: 155.Ql r , 156.Ql w , 157and 158.Ql x 159to set read, write, and 160execute permissions, respectively. Each of these may be excluded 161or replaced with a 162.Ql - 163character to indicate no access. 164.El 165.Pp 166A 167.Dq Li mask 168ACL entry is required on a file with any ACL entries other than 169the default 170.Dq Li user , 171.Dq Li group , 172and 173.Dq Li other 174ACL entries. If the 175.Fl n 176option is not specified and no 177.Dq Li mask 178ACL entry was specified, the 179.Nm 180utility 181will apply a 182.Dq Li mask 183ACL entry consisting of the union of the permissions associated 184with all 185.Dq Li group 186ACL entries in the resulting ACL. 187.Pp 188ACL entries applied from a file using the 189.Fl M 190or 191.Fl X 192options shall be of the following form: one ACL entry per line, as 193previously specified; whitespace is ignored; any text after a 194.Ql # 195is ignored (comments). 196.Pp 197When ACL entries are evaluated, the access check algorithm checks 198the ACL entries in the following order: file owner, 199.Dq Li user 200ACL entries, file owning group, 201.Dq Li group 202ACL entries, and 203.Dq Li other 204ACL entry. 205.Pp 206Multiple ACL entries specified on the command line are 207separated by commas. 208.Sh DIAGNOSTICS 209.Ex -std 210.Sh EXAMPLES 211.Dl setfacl -m u::rwx,g:mail:rw file 212.Pp 213Sets read, write, and execute permissions for the 214.Pa file 215owner's ACL entry and read and write permissions for group mail on 216.Pa file . 217.Pp 218.Dl setfacl -M file1 file2 219.Pp 220Sets/updates the ACL entries contained in 221.Pa file1 222on 223.Pa file2 . 224.Pp 225.Dl setfacl -x g:mail:rw file 226.Pp 227Remove the group mail ACL entry containing read/write permissions 228from 229.Pa file. 230.Pp 231.Dl setfacl -bn file 232.Pp 233Remove all 234.Dq Li access 235ACL entries except for the three required from 236.Pa file . 237.Pp 238.Dl getfacl file1 | setfacl -b -n -M - file2 239.Pp 240Copy ACL entries from 241.Pa file1 242to 243.Pa file2 . 244.Sh SEE ALSO 245.Xr getfacl 1 , 246.Xr acl 3 , 247.Xr getextattr 8 , 248.Xr setextattr 8 , 249.Xr acl 9 , 250.Xr extattr 9 251.Sh STANDARDS 252The 253.Nm 254utility is expected to be 255.Tn IEEE 256Std 1003.2c compliant. 257.Sh HISTORY 258Extended Attribute and Access Control List support was developed 259as part of the 260.Tn TrustedBSD 261Project and introduced in 262.Fx 5.0 . 263.Sh AUTHORS 264The 265.Nm 266utility was written by 267.An Chris D. Faulhaber Aq jedgar@fxp.org . 268