1.\" 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE 18.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd January 7, 2001 29.Dt SETFACL 1 30.Os 31.Sh NAME 32.Nm setfacl 33.Nd set ACL information 34.Sh SYNOPSIS 35.Nm 36.Op Fl bdkn 37.Op Fl m Ar entries 38.Op Fl M Ar file1 39.Op Fl x Ar entries 40.Op Fl X Ar file1 41.Op Ar 42.Sh DESCRIPTION 43The 44.Nm 45utility sets discretionary access control information on 46the specified file(s). 47.Pp 48The following options are available: 49.Bl -tag -width indent 50.It Fl b 51Remove all ACL entries except for the three required entries. 52If the ACL contains a 53.Dq Li mask 54entry, the permissions of the 55.Dq Li group 56entry in the resulting ACL will be set to the permission 57associated with both the 58.Dq Li group 59and 60.Dq Li mask 61entries of the current ACL. 62.It Fl d 63The operations apply to the default ACL entries instead of 64access ACL entries. Currently only directories may have 65default ACL's. 66.It Fl k 67Delete any default ACL entries on the specified files. It 68is not considered an error if the specified files do not have 69any default ACL entries. An error will be reported if any of 70the specified files cannot have a default entry (i.e.\& 71non-directories). 72.It Fl m Ar entries 73Modify the ACL entries on the specified files by adding new 74entries and modifying existing ACL entries with the ACL entries 75specified in 76.Ar entries . 77.It Fl M Ar file 78Modify the ACL entries on the specified files by adding new 79ACL entries and modifying existing ACL entries with the ACL 80entries specified in the file 81.Ar file . 82If 83.Ar file 84is 85.Fl , 86the input is taken from stdin. 87.It Fl n 88Do not recalculate the permissions associated with the ACL 89mask entry. 90.It Fl x Ar entries 91Remove the ACL entries specified in 92.Ar entries 93from the access or default ACL of the specified files. 94.It Fl X Ar file 95Remove the ACL entries specified in the file 96.Ar file 97from the access or default ACL of the specified files. 98.El 99.Pp 100The above options are evaluated in the order specified 101on the command-line. 102.Sh ACL ENTRIES 103An ACL entry contains three colon-separated fields: 104an ACL tag, an ACL qualifier, and discretionary access 105permissions: 106.Bl -tag -width indent 107.It Ar "ACL tag" 108The ACL tag specifies the ACL entry type and consists of 109one of the following: 110.Dq Li user 111or 112.Ql u 113specifying the access 114granted to the owner of the file or a specified user; 115.Dq Li group 116or 117.Ql g 118specifying the access granted to the file owning group 119or a specified group; 120.Dq Li other 121or 122.Ql o 123specifying the access 124granted to any process that does not match any user or group 125ACL entry; 126.Dq Li mask 127or 128.Ql m 129specifying the maximum access 130granted to any ACL entry except the 131.Dq Li user 132ACL entry for the file owner and the 133.Dq Li other 134ACL entry. 135.It Ar "ACL qualifier" 136The ACL qualifier field describes the user or group associated with 137the ACL entry. It may consist of one of the following: uid or 138user name, gid or group name, or empty. For 139.Dq Li user 140ACL entries, an empty field specifies access granted to the 141file owner. For 142.Dq Li group 143ACL entries, an empty field specifies access granted to the 144file owning group. 145.Dq Li mask 146and 147.Dq Li other 148ACL entries do not use this field. 149.It Ar "access permissions" 150The access permissions field contains up to one of each of 151the following: 152.Ql r , 153.Ql w , 154and 155.Ql x 156to set read, write, and 157execute permissions, respectively. Each of these may be excluded 158or replaced with a 159.Ql - 160character to indicate no access. 161.El 162.Pp 163A 164.Dq Li mask 165ACL entry is required on a file with any ACL entries other than 166the default 167.Dq Li user , 168.Dq Li group , 169and 170.Dq Li other 171ACL entries. If the 172.Fl n 173option is not specified and no 174.Dq Li mask 175ACL entry was specified, the 176.Nm 177utility 178will apply a 179.Dq Li mask 180ACL entry consisting of the union of the permissions associated 181with all 182.Dq Li group 183ACL entries in the resulting ACL. 184.Pp 185ACL entries applied from a file using the 186.Fl M 187or 188.Fl X 189options shall be of the following form: one ACL entry per line, as 190previously specified; whitespace is ignored; any text after a 191.Ql # 192is ignored (comments). 193.Pp 194When ACL entries are evaluated, the access check algorithm checks 195the ACL entries in the following order: file owner, 196.Dq Li user 197ACL entries, file owning group, 198.Dq Li group 199ACL entries, and 200.Dq Li other 201ACL entry. 202.Pp 203Multiple ACL entries specified on the command line are 204separated by commas. 205.Sh DIAGNOSTICS 206.Ex -std 207.Sh EXAMPLES 208.Dl setfacl -m u::rwx,g:mail:rw file 209.Pp 210Sets read, write, and execute permissions for the 211.Pa file 212owner's ACL entry and read and write permissions for group mail on 213.Pa file . 214.Pp 215.Dl setfacl -M file1 file2 216.Pp 217Sets/updates the ACL entries contained in 218.Pa file1 219on 220.Pa file2 . 221.Pp 222.Dl setfacl -x g:mail:rw file 223.Pp 224Remove the group mail ACL entry containing read/write permissions 225from 226.Pa file. 227.Pp 228.Dl setfacl -bn file 229.Pp 230Remove all 231.Dq Li access 232ACL entries except for the three required from 233.Pa file . 234.Pp 235.Dl getfacl file1 | setfacl -b -n -M - file2 236.Pp 237Copy ACL entries from 238.Pa file1 239to 240.Pa file2 . 241.Sh SEE ALSO 242.Xr getfacl 1 , 243.Xr acl 3 , 244.Xr getextattr 8 , 245.Xr setextattr 8 , 246.Xr acl 9 , 247.Xr extattr 9 248.Sh STANDARDS 249The 250.Nm 251utility is expected to be 252.Tn IEEE 253Std 1003.2c compliant. 254.Sh HISTORY 255Extended Attribute and Access Control List support was developed 256as part of the 257.Tn TrustedBSD 258Project and introduced in 259.Fx 5.0 . 260.Sh AUTHORS 261The 262.Nm 263utility was written by 264.An Chris D. Faulhaber Aq jedgar@fxp.org . 265