xref: /freebsd/bin/setfacl/setfacl.1 (revision 7b3ea376a27ada7a61eb0c3102f13040fb8c16cb)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd September 4, 2015
30.Dt SETFACL 1
31.Os
32.Sh NAME
33.Nm setfacl
34.Nd set ACL information
35.Sh SYNOPSIS
36.Nm
37.Op Fl bdhkn
38.Op Fl a Ar position entries
39.Op Fl m Ar entries
40.Op Fl M Ar file
41.Op Fl x Ar entries | position
42.Op Fl X Ar file
43.Op Ar
44.Sh DESCRIPTION
45The
46.Nm
47utility sets discretionary access control information on
48the specified file(s).
49If no files are specified, or the list consists of the only
50.Sq Fl ,
51the file names are taken from the standard input.
52.Pp
53The following options are available:
54.Bl -tag -width indent
55.It Fl a Ar position entries
56Modify the ACL on the specified files by inserting new
57ACL entries
58specified in
59.Ar entries ,
60starting at position
61.Ar position ,
62counting from zero.
63This option is only applicable to NFSv4 ACLs.
64.It Fl b
65Remove all ACL entries except for the three required entries
66(POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).
67If the POSIX.1e ACL contains a
68.Dq Li mask
69entry, the permissions of the
70.Dq Li group
71entry in the resulting ACL will be set to the permission
72associated with both the
73.Dq Li group
74and
75.Dq Li mask
76entries of the current ACL.
77.It Fl d
78The operations apply to the default ACL entries instead of
79access ACL entries.
80Currently only directories may have
81default ACL's.  This option is not applicable to NFSv4 ACLs.
82.It Fl h
83If the target of the operation is a symbolic link, perform the operation
84on the symbolic link itself, rather than following the link.
85.It Fl k
86Delete any default ACL entries on the specified files.
87It
88is not considered an error if the specified files do not have
89any default ACL entries.
90An error will be reported if any of
91the specified files cannot have a default entry (i.e.\&
92non-directories).  This option is not applicable to NFSv4 ACLs.
93.It Fl m Ar entries
94Modify the ACL on the specified file.
95New entries will be added, and existing entries will be modified
96according to the
97.Ar entries
98argument.
99For NFSv4 ACLs, it is recommended to use the
100.Fl a
101and
102.Fl x
103options instead.
104.It Fl M Ar file
105Modify the ACL entries on the specified files by adding new
106ACL entries and modifying existing ACL entries with the ACL
107entries specified in the file
108.Ar file .
109If
110.Ar file
111is
112.Fl ,
113the input is taken from stdin.
114.It Fl n
115Do not recalculate the permissions associated with the ACL
116mask entry.  This option is not applicable to NFSv4 ACLs.
117.It Fl x Ar entries | position
118If
119.Ar entries
120is specified, remove the ACL entries specified there
121from the access or default ACL of the specified files.
122Otherwise, remove entry at index
123.Ar position ,
124counting from zero.
125.It Fl X Ar file
126Remove the ACL entries specified in the file
127.Ar file
128from the access or default ACL of the specified files.
129.El
130.Pp
131The above options are evaluated in the order specified
132on the command-line.
133.Sh POSIX.1e ACL ENTRIES
134A POSIX.1E ACL entry contains three colon-separated fields:
135an ACL tag, an ACL qualifier, and discretionary access
136permissions:
137.Bl -tag -width indent
138.It Ar "ACL tag"
139The ACL tag specifies the ACL entry type and consists of
140one of the following:
141.Dq Li user
142or
143.Ql u
144specifying the access
145granted to the owner of the file or a specified user;
146.Dq Li group
147or
148.Ql g
149specifying the access granted to the file owning group
150or a specified group;
151.Dq Li other
152or
153.Ql o
154specifying the access
155granted to any process that does not match any user or group
156ACL entry;
157.Dq Li mask
158or
159.Ql m
160specifying the maximum access
161granted to any ACL entry except the
162.Dq Li user
163ACL entry for the file owner and the
164.Dq Li other
165ACL entry.
166.It Ar "ACL qualifier"
167The ACL qualifier field describes the user or group associated with
168the ACL entry.
169It may consist of one of the following: uid or
170user name, gid or group name, or empty.
171For
172.Dq Li user
173ACL entries, an empty field specifies access granted to the
174file owner.
175For
176.Dq Li group
177ACL entries, an empty field specifies access granted to the
178file owning group.
179.Dq Li mask
180and
181.Dq Li other
182ACL entries do not use this field.
183.It Ar "access permissions"
184The access permissions field contains up to one of each of
185the following:
186.Ql r ,
187.Ql w ,
188and
189.Ql x
190to set read, write, and
191execute permissions, respectively.
192Each of these may be excluded
193or replaced with a
194.Ql -
195character to indicate no access.
196.El
197.Pp
198A
199.Dq Li mask
200ACL entry is required on a file with any ACL entries other than
201the default
202.Dq Li user ,
203.Dq Li group ,
204and
205.Dq Li other
206ACL entries.
207If the
208.Fl n
209option is not specified and no
210.Dq Li mask
211ACL entry was specified, the
212.Nm
213utility
214will apply a
215.Dq Li mask
216ACL entry consisting of the union of the permissions associated
217with all
218.Dq Li group
219ACL entries in the resulting ACL.
220.Pp
221Traditional POSIX interfaces acting on file system object modes have
222modified semantics in the presence of POSIX.1e extended ACLs.
223When a mask entry is present on the access ACL of an object, the mask
224entry is substituted for the group bits; this occurs in programs such
225as
226.Xr stat 1
227or
228.Xr ls 1 .
229When the mode is modified on an object that has a mask entry, the
230changes applied to the group bits will actually be applied to the
231mask entry.
232These semantics provide for greater application compatibility:
233applications modifying the mode instead of the ACL will see
234conservative behavior, limiting the effective rights granted by all
235of the additional user and group entries; this occurs in programs
236such as
237.Xr chmod 1 .
238.Pp
239ACL entries applied from a file using the
240.Fl M
241or
242.Fl X
243options shall be of the following form: one ACL entry per line, as
244previously specified; whitespace is ignored; any text after a
245.Ql #
246is ignored (comments).
247.Pp
248When POSIX.1e ACL entries are evaluated, the access check algorithm checks
249the ACL entries in the following order: file owner,
250.Dq Li user
251ACL entries, file owning group,
252.Dq Li group
253ACL entries, and
254.Dq Li other
255ACL entry.
256.Pp
257Multiple ACL entries specified on the command line are
258separated by commas.
259.Pp
260It is possible for files and directories to inherit ACL entries from their
261parent directory.
262This is accomplished through the use of the default ACL.
263It should be noted that before you can specify a default ACL, the mandatory
264ACL entries for user, group, other and mask must be set.
265For more details see the examples below.
266Default ACLs can be created by using
267.Fl d .
268.Sh NFSv4 ACL ENTRIES
269An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
270an ACL qualifier (only for
271.Dq Li user
272and
273.Dq Li group
274tags), discretionary access permissions, ACL inheritance flags, and ACL type:
275.Bl -tag -width indent
276.It Ar "ACL tag"
277The ACL tag specifies the ACL entry type and consists of
278one of the following:
279.Dq Li user
280or
281.Ql u
282specifying the access
283granted to the specified user;
284.Dq Li group
285or
286.Ql g
287specifying the access granted to the specified group;
288.Dq Li owner@
289specifying the access granted to the owner of the file;
290.Dq Li group@
291specifying the access granted to the file owning group;
292.Dq Li everyone@
293specifying everyone.  Note that
294.Dq Li everyone@
295is not the same as traditional Unix
296.Dq Li other
297- it means,
298literally, everyone, including file owner and owning group.
299.It Ar "ACL qualifier"
300The ACL qualifier field describes the user or group associated with
301the ACL entry.
302It may consist of one of the following: uid or
303user name, or gid or group name.  In entries whose tag type is
304one of
305.Dq Li owner@ ,
306.Dq Li group@ ,
307or
308.Dq Li everyone@ ,
309this field is omitted altogether, including the trailing comma.
310.It Ar "access permissions"
311Access permissions may be specified in either short or long form.
312Short and long forms may not be mixed.
313Permissions in long form are separated by the
314.Ql /
315character; in short form, they are concatenated together.
316Valid permissions are:
317.Bl -tag -width ".Dv modify_set"
318.It Short
319Long
320.It r
321read_data
322.It w
323write_data
324.It x
325execute
326.It p
327append_data
328.It D
329delete_child
330.It d
331delete
332.It a
333read_attributes
334.It A
335write_attributes
336.It R
337read_xattr
338.It W
339write_xattr
340.It c
341read_acl
342.It C
343write_acl
344.It o
345write_owner
346.It s
347synchronize
348.El
349.Pp
350In addition, the following permission sets may be used:
351.Bl -tag -width ".Dv modify_set"
352.It Set
353Permissions
354.It full_set
355all permissions, as shown above
356.It modify_set
357all permissions except write_acl and write_owner
358.It read_set
359read_data, read_attributes, read_xattr and read_acl
360.It write_set
361write_data, append_data, write_attributes and write_xattr
362.El
363.It Ar "ACL inheritance flags"
364Inheritance flags may be specified in either short or long form.
365Short and long forms may not be mixed.
366Access flags in long form are separated by the
367.Ql /
368character; in short form, they are concatenated together.
369Valid inheritance flags are:
370.Bl -tag -width ".Dv short"
371.It Short
372Long
373.It f
374file_inherit
375.It d
376dir_inherit
377.It i
378inherit_only
379.It n
380no_propagate
381.It I
382inherited
383.El
384.Pp
385Other than the "inherited" flag, inheritance flags may be only set on directories.
386.It Ar "ACL type"
387The ACL type field is either
388.Dq Li allow
389or
390.Dq Li deny .
391.El
392.Pp
393ACL entries applied from a file using the
394.Fl M
395or
396.Fl X
397options shall be of the following form: one ACL entry per line, as
398previously specified; whitespace is ignored; any text after a
399.Ql #
400is ignored (comments).
401.Pp
402NFSv4 ACL entries are evaluated in their visible order.
403.Pp
404Multiple ACL entries specified on the command line are
405separated by commas.
406.Pp
407Note that the file owner is always granted the read_acl, write_acl,
408read_attributes, and write_attributes permissions, even if the ACL
409would deny it.
410.Sh EXIT STATUS
411.Ex -std
412.Sh EXAMPLES
413.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
414.Dl setfacl -d -m g:admins:rwx dir
415.Pp
416The first command sets the mandatory elements of the POSIX.1e default ACL.
417The second command specifies that users in group admins can have read, write, and execute
418permissions for directory named "dir".
419It should be noted that any files or directories created underneath "dir" will
420inherit these default ACLs upon creation.
421.Pp
422.Dl setfacl -m u::rwx,g:mail:rw file
423.Pp
424Sets read, write, and execute permissions for the
425.Pa file
426owner's POSIX.1e ACL entry and read and write permissions for group mail on
427.Pa file .
428.Pp
429.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
430.Pp
431Semantically equal to the example above, but for NFSv4 ACL.
432.Pp
433.Dl setfacl -M file1 file2
434.Pp
435Sets/updates the ACL entries contained in
436.Pa file1
437on
438.Pa file2 .
439.Pp
440.Dl setfacl -x g:mail:rw file
441.Pp
442Remove the group mail POSIX.1e ACL entry containing read/write permissions
443from
444.Pa file .
445.Pp
446.Dl setfacl -x0 file
447.Pp
448Remove the first entry from the NFSv4 ACL from
449.Pa file .
450.Pp
451.Dl setfacl -bn file
452.Pp
453Remove all
454.Dq Li access
455ACL entries except for the three required from
456.Pa file .
457.Pp
458.Dl getfacl file1 | setfacl -b -n -M - file2
459.Pp
460Copy ACL entries from
461.Pa file1
462to
463.Pa file2 .
464.Sh SEE ALSO
465.Xr getfacl 1 ,
466.Xr acl 3 ,
467.Xr getextattr 8 ,
468.Xr setextattr 8 ,
469.Xr acl 9 ,
470.Xr extattr 9
471.Sh STANDARDS
472The
473.Nm
474utility is expected to be
475.Tn IEEE
476Std 1003.2c compliant.
477.Sh HISTORY
478Extended Attribute and Access Control List support was developed
479as part of the
480.Tn TrustedBSD
481Project and introduced in
482.Fx 5.0 .
483NFSv4 ACL support was introduced in
484.Fx 8.1 .
485.Sh AUTHORS
486.An -nosplit
487The
488.Nm
489utility was written by
490.An Chris D. Faulhaber Aq Mt jedgar@fxp.org .
491NFSv4 ACL support was implemented by
492.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org .
493