xref: /freebsd/bin/setfacl/setfacl.1 (revision ae83180158c4c937f170e31eff311b18c0286a93)
1.\"
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE
18.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24.\" POSSIBILITY OF SUCH DAMAGE.
25.\"
26.\" $FreeBSD$
27.\"
28.Dd January 7, 2001
29.Dt SETFACL 1
30.Os
31.Sh NAME
32.Nm setfacl
33.Nd set ACL information
34.Sh SYNOPSIS
35.Nm
36.Op Fl bdkn
37.Op Fl m Ar entries
38.Op Fl M Ar file1
39.Op Fl x Ar entries
40.Op Fl X Ar file1
41.Op Ar
42.Sh DESCRIPTION
43The
44.Nm
45utility sets discretionary access control information on
46the specified file(s).
47.Pp
48The following options are available:
49.Bl -tag -width indent
50.It Fl b
51Remove all ACL entries except for the three required entries.
52If the ACL contains a
53.Dq Li mask
54entry, the permissions of the
55.Dq Li group
56entry in the resulting ACL will be set to the permission
57associated with both the
58.Dq Li group
59and
60.Dq Li mask
61entries of the current ACL.
62.It Fl d
63The operations apply to the default ACL entries instead of
64access ACL entries.  Currently only directories may have
65default ACL's.
66.It Fl k
67Delete any default ACL entries on the specified files.  It
68is not considered an error if the specified files do not have
69any default ACL entries.  An error will be reported if any of
70the specified files cannot have a default entry (i.e.\&
71non-directories).
72.It Fl m Ar entries
73Modify the ACL entries on the specified files by adding new
74entries and modifying existing ACL entries with the ACL entries
75specified in
76.Ar entries .
77.It Fl M Ar file
78Modify the ACL entries on the specified files by adding new
79ACL entries and modifying existing ACL entries with the ACL
80entries specified in the file
81.Ar file .
82If
83.Ar file
84is
85.Fl ,
86the input is taken from stdin.
87.It Fl n
88Do not recalculate the permissions associated with the ACL
89mask entry.
90.It Fl x Ar entries
91Remove the ACL entries specified in
92.Ar entries
93from the access or default ACL of the specified files.
94.It Fl X Ar file
95Remove the ACL entries specified in the file
96.Ar file
97from the access or default ACL of the specified files.
98.El
99.Pp
100The above options are evaluated in the order specified
101on the command-line.
102.Sh ACL ENTRIES
103An ACL entry contains three colon-separated fields:
104an ACL tag, an ACL qualifier, and discretionary access
105permissions:
106.Bl -tag -width indent
107.It Ar "ACL tag"
108The ACL tag specifies the ACL entry type and consists of
109one of the following:
110.Dq Li user
111or
112.Ql u
113specifying the access
114granted to the owner of the file or a specified user;
115.Dq Li group
116or
117.Ql g
118specifying the access granted to the file owning group
119or a specified group;
120.Dq Li other
121or
122.Ql o
123specifying the access
124granted to any process that does not match any user or group
125ACL entry;
126.Dq Li mask
127or
128.Ql m
129specifying the maximum access
130granted to any ACL entry except the
131.Dq Li user
132ACL entry for the file owner and the
133.Dq Li other
134ACL entry.
135.It Ar "ACL qualifier"
136The ACL qualifier field describes the user or group associated with
137the ACL entry.  It may consist of one of the following: uid or
138user name, gid or group name, or empty.  For
139.Dq Li user
140ACL entries, an empty field specifies access granted to the
141file owner.  For
142.Dq Li group
143ACL entries, an empty field specifies access granted to the
144file owning group.
145.Dq Li mask
146and
147.Dq Li other
148ACL entries do not use this field.
149.It Ar "access permissions"
150The access permissions field contains up to one of each of
151the following:
152.Ql r ,
153.Ql w ,
154and
155.Ql x
156to set read, write, and
157execute permissions, respectively.  Each of these may be excluded
158or replaced with a
159.Ql -
160character to indicate no access.
161.El
162.Pp
163A
164.Dq Li mask
165ACL entry is required on a file with any ACL entries other than
166the default
167.Dq Li user ,
168.Dq Li group ,
169and
170.Dq Li other
171ACL entries.  If the
172.Fl n
173option is not specified and no
174.Dq Li mask
175ACL entry was specified, the
176.Nm
177utility
178will apply a
179.Dq Li mask
180ACL entry consisting of the union of the permissions associated
181with all
182.Dq Li group
183ACL entries in the resulting ACL.
184.Pp
185ACL entries applied from a file using the
186.Fl M
187or
188.Fl X
189options shall be of the following form: one ACL entry per line, as
190previously specified; whitespace is ignored; any text after a
191.Ql #
192is ignored (comments).
193.Pp
194When ACL entries are evaluated, the access check algorithm checks
195the ACL entries in the following order: file owner,
196.Dq Li user
197ACL entries, file owning group,
198.Dq Li group
199ACL entries, and
200.Dq Li other
201ACL entry.
202.Pp
203Multiple ACL entries specified on the command line are
204separated by commas.
205.Sh DIAGNOSTICS
206.Ex -std
207.Sh EXAMPLES
208.Dl setfacl -m u::rwx,g:mail:rw file
209.Pp
210Sets read, write, and execute permissions for the
211.Pa file
212owner's ACL entry and read and write permissions for group mail on
213.Pa file .
214.Pp
215.Dl setfacl -M file1 file2
216.Pp
217Sets/updates the ACL entries contained in
218.Pa file1
219on
220.Pa file2 .
221.Pp
222.Dl setfacl -x g:mail:rw file
223.Pp
224Remove the group mail ACL entry containing read/write permissions
225from
226.Pa file.
227.Pp
228.Dl setfacl -bn file
229.Pp
230Remove all
231.Dq Li access
232ACL entries except for the three required from
233.Pa file .
234.Pp
235.Dl getfacl file1 | setfacl -b -n -M - file2
236.Pp
237Copy ACL entries from
238.Pa file1
239to
240.Pa file2 .
241.Sh SEE ALSO
242.Xr getfacl 1 ,
243.Xr acl 3 ,
244.Xr getextattr 8 ,
245.Xr setextattr 8 ,
246.Xr acl 9 ,
247.Xr extattr 9
248.Sh STANDARDS
249The
250.Nm
251utility is expected to be
252.Tn IEEE
253Std 1003.2c compliant.
254.Sh HISTORY
255Extended Attribute and Access Control List support was developed
256as part of the
257.Tn TrustedBSD
258Project and introduced in
259.Fx 5.0 .
260.Sh AUTHORS
261The
262.Nm
263utility was written by
264.An Chris D. Faulhaber Aq jedgar@fxp.org .
265