1.\"- 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE 18.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd January 7, 2001 29.Dt SETFACL 1 30.Os 31.Sh NAME 32.Nm setfacl 33.Nd set ACL information 34.Sh SYNOPSIS 35.Nm 36.Op Fl bdhkn 37.Op Fl m Ar entries 38.Op Fl M Ar file 39.Op Fl x Ar entries 40.Op Fl X Ar file 41.Op Ar 42.Sh DESCRIPTION 43The 44.Nm 45utility sets discretionary access control information on 46the specified file(s). 47.Pp 48The following options are available: 49.Bl -tag -width indent 50.It Fl b 51Remove all ACL entries except for the three required entries. 52If the ACL contains a 53.Dq Li mask 54entry, the permissions of the 55.Dq Li group 56entry in the resulting ACL will be set to the permission 57associated with both the 58.Dq Li group 59and 60.Dq Li mask 61entries of the current ACL. 62.It Fl d 63The operations apply to the default ACL entries instead of 64access ACL entries. 65Currently only directories may have 66default ACL's. 67.It Fl h 68If the target of the operation is a symbolic link, perform the operation 69on the symbolic link itself, rather than following the link. 70.It Fl k 71Delete any default ACL entries on the specified files. 72It 73is not considered an error if the specified files do not have 74any default ACL entries. 75An error will be reported if any of 76the specified files cannot have a default entry (i.e.\& 77non-directories). 78.It Fl m Ar entries 79Modify the ACL entries on the specified files by adding new 80entries and modifying existing ACL entries with the ACL entries 81specified in 82.Ar entries . 83.It Fl M Ar file 84Modify the ACL entries on the specified files by adding new 85ACL entries and modifying existing ACL entries with the ACL 86entries specified in the file 87.Ar file . 88If 89.Ar file 90is 91.Fl , 92the input is taken from stdin. 93.It Fl n 94Do not recalculate the permissions associated with the ACL 95mask entry. 96.It Fl x Ar entries 97Remove the ACL entries specified in 98.Ar entries 99from the access or default ACL of the specified files. 100.It Fl X Ar file 101Remove the ACL entries specified in the file 102.Ar file 103from the access or default ACL of the specified files. 104.El 105.Pp 106The above options are evaluated in the order specified 107on the command-line. 108.Sh ACL ENTRIES 109An ACL entry contains three colon-separated fields: 110an ACL tag, an ACL qualifier, and discretionary access 111permissions: 112.Bl -tag -width indent 113.It Ar "ACL tag" 114The ACL tag specifies the ACL entry type and consists of 115one of the following: 116.Dq Li user 117or 118.Ql u 119specifying the access 120granted to the owner of the file or a specified user; 121.Dq Li group 122or 123.Ql g 124specifying the access granted to the file owning group 125or a specified group; 126.Dq Li other 127or 128.Ql o 129specifying the access 130granted to any process that does not match any user or group 131ACL entry; 132.Dq Li mask 133or 134.Ql m 135specifying the maximum access 136granted to any ACL entry except the 137.Dq Li user 138ACL entry for the file owner and the 139.Dq Li other 140ACL entry. 141.It Ar "ACL qualifier" 142The ACL qualifier field describes the user or group associated with 143the ACL entry. 144It may consist of one of the following: uid or 145user name, gid or group name, or empty. 146For 147.Dq Li user 148ACL entries, an empty field specifies access granted to the 149file owner. 150For 151.Dq Li group 152ACL entries, an empty field specifies access granted to the 153file owning group. 154.Dq Li mask 155and 156.Dq Li other 157ACL entries do not use this field. 158.It Ar "access permissions" 159The access permissions field contains up to one of each of 160the following: 161.Ql r , 162.Ql w , 163and 164.Ql x 165to set read, write, and 166execute permissions, respectively. 167Each of these may be excluded 168or replaced with a 169.Ql - 170character to indicate no access. 171.El 172.Pp 173A 174.Dq Li mask 175ACL entry is required on a file with any ACL entries other than 176the default 177.Dq Li user , 178.Dq Li group , 179and 180.Dq Li other 181ACL entries. 182If the 183.Fl n 184option is not specified and no 185.Dq Li mask 186ACL entry was specified, the 187.Nm 188utility 189will apply a 190.Dq Li mask 191ACL entry consisting of the union of the permissions associated 192with all 193.Dq Li group 194ACL entries in the resulting ACL. 195.Pp 196Traditional POSIX interfaces acting on file system object modes have 197modified semantics in the presence of POSIX.1e extended ACLs. 198When a mask entry is present on the access ACL of an object, the mask 199entry is substituted for the group bits; this occurs in programs such 200as 201.Xr stat 1 202or 203.Xr ls 1 . 204When the mode is modified on an object that has a mask entry, the 205changes applied to the group bits will actually be applied to the 206mask entry. 207These semantics provide for greater application compatibility: 208applications modifying the mode instead of the ACL will see 209conservative behavior, limiting the effective rights granted by all 210of the additional user and group entries; this occurs in programs 211such as 212.Xr chmod 1 . 213.Pp 214ACL entries applied from a file using the 215.Fl M 216or 217.Fl X 218options shall be of the following form: one ACL entry per line, as 219previously specified; whitespace is ignored; any text after a 220.Ql # 221is ignored (comments). 222.Pp 223When ACL entries are evaluated, the access check algorithm checks 224the ACL entries in the following order: file owner, 225.Dq Li user 226ACL entries, file owning group, 227.Dq Li group 228ACL entries, and 229.Dq Li other 230ACL entry. 231.Pp 232Multiple ACL entries specified on the command line are 233separated by commas. 234.Sh EXIT STATUS 235.Ex -std 236.Sh EXAMPLES 237.Dl setfacl -m u::rwx,g:mail:rw file 238.Pp 239Sets read, write, and execute permissions for the 240.Pa file 241owner's ACL entry and read and write permissions for group mail on 242.Pa file . 243.Pp 244.Dl setfacl -M file1 file2 245.Pp 246Sets/updates the ACL entries contained in 247.Pa file1 248on 249.Pa file2 . 250.Pp 251.Dl setfacl -x g:mail:rw file 252.Pp 253Remove the group mail ACL entry containing read/write permissions 254from 255.Pa file. 256.Pp 257.Dl setfacl -bn file 258.Pp 259Remove all 260.Dq Li access 261ACL entries except for the three required from 262.Pa file . 263.Pp 264.Dl getfacl file1 | setfacl -b -n -M - file2 265.Pp 266Copy ACL entries from 267.Pa file1 268to 269.Pa file2 . 270.Sh SEE ALSO 271.Xr getfacl 1 , 272.Xr acl 3 , 273.Xr getextattr 8 , 274.Xr setextattr 8 , 275.Xr acl 9 , 276.Xr extattr 9 277.Sh STANDARDS 278The 279.Nm 280utility is expected to be 281.Tn IEEE 282Std 1003.2c compliant. 283.Sh HISTORY 284Extended Attribute and Access Control List support was developed 285as part of the 286.Tn TrustedBSD 287Project and introduced in 288.Fx 5.0 . 289.Sh AUTHORS 290The 291.Nm 292utility was written by 293.An Chris D. Faulhaber Aq jedgar@fxp.org . 294