1.\"- 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" Copyright (c) 2011 Edward Tomasz Napierała 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd September 4, 2015 30.Dt SETFACL 1 31.Os 32.Sh NAME 33.Nm setfacl 34.Nd set ACL information 35.Sh SYNOPSIS 36.Nm 37.Op Fl bdhkn 38.Op Fl a Ar position entries 39.Op Fl m Ar entries 40.Op Fl M Ar file 41.Op Fl x Ar entries | position 42.Op Fl X Ar file 43.Op Ar 44.Sh DESCRIPTION 45The 46.Nm 47utility sets discretionary access control information on 48the specified file(s). 49If no files are specified, or the list consists of the only 50.Sq Fl , 51the file names are taken from the standard input. 52.Pp 53The following options are available: 54.Bl -tag -width indent 55.It Fl a Ar position entries 56Modify the ACL on the specified files by inserting new 57ACL entries 58specified in 59.Ar entries , 60starting at position 61.Ar position , 62counting from zero. 63This option is only applicable to NFSv4 ACLs. 64.It Fl b 65Remove all ACL entries except for the three required entries 66(POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs). 67If the POSIX.1e ACL contains a 68.Dq Li mask 69entry, the permissions of the 70.Dq Li group 71entry in the resulting ACL will be set to the permission 72associated with both the 73.Dq Li group 74and 75.Dq Li mask 76entries of the current ACL. 77.It Fl d 78The operations apply to the default ACL entries instead of 79access ACL entries. 80Currently only directories may have 81default ACL's. This option is not applicable to NFSv4 ACLs. 82.It Fl h 83If the target of the operation is a symbolic link, perform the operation 84on the symbolic link itself, rather than following the link. 85.It Fl k 86Delete any default ACL entries on the specified files. 87It 88is not considered an error if the specified files do not have 89any default ACL entries. 90An error will be reported if any of 91the specified files cannot have a default entry (i.e.\& 92non-directories). This option is not applicable to NFSv4 ACLs. 93.It Fl m Ar entries 94Modify the ACL on the specified file. 95New entries will be added, and existing entries will be modified 96according to the 97.Ar entries 98argument. 99For NFSv4 ACLs, it is recommended to use the 100.Fl a 101and 102.Fl x 103options instead. 104.It Fl M Ar file 105Modify the ACL entries on the specified files by adding new 106ACL entries and modifying existing ACL entries with the ACL 107entries specified in the file 108.Ar file . 109If 110.Ar file 111is 112.Fl , 113the input is taken from stdin. 114.It Fl n 115Do not recalculate the permissions associated with the ACL 116mask entry. This option is not applicable to NFSv4 ACLs. 117.It Fl x Ar entries | position 118If 119.Ar entries 120is specified, remove the ACL entries specified there 121from the access or default ACL of the specified files. 122Otherwise, remove entry at index 123.Ar position , 124counting from zero. 125.It Fl X Ar file 126Remove the ACL entries specified in the file 127.Ar file 128from the access or default ACL of the specified files. 129.El 130.Pp 131The above options are evaluated in the order specified 132on the command-line. 133.Sh POSIX.1e ACL ENTRIES 134A POSIX.1E ACL entry contains three colon-separated fields: 135an ACL tag, an ACL qualifier, and discretionary access 136permissions: 137.Bl -tag -width indent 138.It Ar "ACL tag" 139The ACL tag specifies the ACL entry type and consists of 140one of the following: 141.Dq Li user 142or 143.Ql u 144specifying the access 145granted to the owner of the file or a specified user; 146.Dq Li group 147or 148.Ql g 149specifying the access granted to the file owning group 150or a specified group; 151.Dq Li other 152or 153.Ql o 154specifying the access 155granted to any process that does not match any user or group 156ACL entry; 157.Dq Li mask 158or 159.Ql m 160specifying the maximum access 161granted to any ACL entry except the 162.Dq Li user 163ACL entry for the file owner and the 164.Dq Li other 165ACL entry. 166.It Ar "ACL qualifier" 167The ACL qualifier field describes the user or group associated with 168the ACL entry. 169It may consist of one of the following: uid or 170user name, gid or group name, or empty. 171For 172.Dq Li user 173ACL entries, an empty field specifies access granted to the 174file owner. 175For 176.Dq Li group 177ACL entries, an empty field specifies access granted to the 178file owning group. 179.Dq Li mask 180and 181.Dq Li other 182ACL entries do not use this field. 183.It Ar "access permissions" 184The access permissions field contains up to one of each of 185the following: 186.Ql r , 187.Ql w , 188and 189.Ql x 190to set read, write, and 191execute permissions, respectively. 192Each of these may be excluded 193or replaced with a 194.Ql - 195character to indicate no access. 196.El 197.Pp 198A 199.Dq Li mask 200ACL entry is required on a file with any ACL entries other than 201the default 202.Dq Li user , 203.Dq Li group , 204and 205.Dq Li other 206ACL entries. 207If the 208.Fl n 209option is not specified and no 210.Dq Li mask 211ACL entry was specified, the 212.Nm 213utility 214will apply a 215.Dq Li mask 216ACL entry consisting of the union of the permissions associated 217with all 218.Dq Li group 219ACL entries in the resulting ACL. 220.Pp 221Traditional POSIX interfaces acting on file system object modes have 222modified semantics in the presence of POSIX.1e extended ACLs. 223When a mask entry is present on the access ACL of an object, the mask 224entry is substituted for the group bits; this occurs in programs such 225as 226.Xr stat 1 227or 228.Xr ls 1 . 229When the mode is modified on an object that has a mask entry, the 230changes applied to the group bits will actually be applied to the 231mask entry. 232These semantics provide for greater application compatibility: 233applications modifying the mode instead of the ACL will see 234conservative behavior, limiting the effective rights granted by all 235of the additional user and group entries; this occurs in programs 236such as 237.Xr chmod 1 . 238.Pp 239ACL entries applied from a file using the 240.Fl M 241or 242.Fl X 243options shall be of the following form: one ACL entry per line, as 244previously specified; whitespace is ignored; any text after a 245.Ql # 246is ignored (comments). 247.Pp 248When POSIX.1e ACL entries are evaluated, the access check algorithm checks 249the ACL entries in the following order: file owner, 250.Dq Li user 251ACL entries, file owning group, 252.Dq Li group 253ACL entries, and 254.Dq Li other 255ACL entry. 256.Pp 257Multiple ACL entries specified on the command line are 258separated by commas. 259.Pp 260It is possible for files and directories to inherit ACL entries from their 261parent directory. 262This is accomplished through the use of the default ACL. 263It should be noted that before you can specify a default ACL, the mandatory 264ACL entries for user, group, other and mask must be set. 265For more details see the examples below. 266Default ACLs can be created by using 267.Fl d . 268.Sh NFSv4 ACL ENTRIES 269An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, 270an ACL qualifier (only for 271.Dq Li user 272and 273.Dq Li group 274tags), discretionary access permissions, ACL inheritance flags, and ACL type: 275.Bl -tag -width indent 276.It Ar "ACL tag" 277The ACL tag specifies the ACL entry type and consists of 278one of the following: 279.Dq Li user 280or 281.Ql u 282specifying the access 283granted to the specified user; 284.Dq Li group 285or 286.Ql g 287specifying the access granted to the specified group; 288.Dq Li owner@ 289specifying the access granted to the owner of the file; 290.Dq Li group@ 291specifying the access granted to the file owning group; 292.Dq Li everyone@ 293specifying everyone. Note that 294.Dq Li everyone@ 295is not the same as traditional Unix 296.Dq Li other 297- it means, 298literally, everyone, including file owner and owning group. 299.It Ar "ACL qualifier" 300The ACL qualifier field describes the user or group associated with 301the ACL entry. 302It may consist of one of the following: uid or 303user name, or gid or group name. In entries whose tag type is 304one of 305.Dq Li owner@ , 306.Dq Li group@ , 307or 308.Dq Li everyone@ , 309this field is omitted altogether, including the trailing comma. 310.It Ar "access permissions" 311Access permissions may be specified in either short or long form. 312Short and long forms may not be mixed. 313Permissions in long form are separated by the 314.Ql / 315character; in short form, they are concatenated together. 316Valid permissions are: 317.Bl -tag -width ".Dv modify_set" 318.It Short 319Long 320.It r 321read_data 322.It w 323write_data 324.It x 325execute 326.It p 327append_data 328.It D 329delete_child 330.It d 331delete 332.It a 333read_attributes 334.It A 335write_attributes 336.It R 337read_xattr 338.It W 339write_xattr 340.It c 341read_acl 342.It C 343write_acl 344.It o 345write_owner 346.It s 347synchronize 348.El 349.Pp 350In addition, the following permission sets may be used: 351.Bl -tag -width ".Dv modify_set" 352.It Set 353Permissions 354.It full_set 355all permissions, as shown above 356.It modify_set 357all permissions except write_acl and write_owner 358.It read_set 359read_data, read_attributes, read_xattr and read_acl 360.It write_set 361write_data, append_data, write_attributes and write_xattr 362.El 363.It Ar "ACL inheritance flags" 364Inheritance flags may be specified in either short or long form. 365Short and long forms may not be mixed. 366Access flags in long form are separated by the 367.Ql / 368character; in short form, they are concatenated together. 369Valid inheritance flags are: 370.Bl -tag -width ".Dv short" 371.It Short 372Long 373.It f 374file_inherit 375.It d 376dir_inherit 377.It i 378inherit_only 379.It n 380no_propagate 381.It I 382inherited 383.El 384.Pp 385Other than the "inherited" flag, inheritance flags may be only set on directories. 386.It Ar "ACL type" 387The ACL type field is either 388.Dq Li allow 389or 390.Dq Li deny . 391.El 392.Pp 393ACL entries applied from a file using the 394.Fl M 395or 396.Fl X 397options shall be of the following form: one ACL entry per line, as 398previously specified; whitespace is ignored; any text after a 399.Ql # 400is ignored (comments). 401.Pp 402NFSv4 ACL entries are evaluated in their visible order. 403.Pp 404Multiple ACL entries specified on the command line are 405separated by commas. 406.Pp 407Note that the file owner is always granted the read_acl, write_acl, 408read_attributes, and write_attributes permissions, even if the ACL 409would deny it. 410.Sh EXIT STATUS 411.Ex -std 412.Sh EXAMPLES 413.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir 414.Dl setfacl -d -m g:admins:rwx dir 415.Pp 416The first command sets the mandatory elements of the POSIX.1e default ACL. 417The second command specifies that users in group admins can have read, write, and execute 418permissions for directory named "dir". 419It should be noted that any files or directories created underneath "dir" will 420inherit these default ACLs upon creation. 421.Pp 422.Dl setfacl -m u::rwx,g:mail:rw file 423.Pp 424Sets read, write, and execute permissions for the 425.Pa file 426owner's POSIX.1e ACL entry and read and write permissions for group mail on 427.Pa file . 428.Pp 429.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file 430.Pp 431Semantically equal to the example above, but for NFSv4 ACL. 432.Pp 433.Dl setfacl -M file1 file2 434.Pp 435Sets/updates the ACL entries contained in 436.Pa file1 437on 438.Pa file2 . 439.Pp 440.Dl setfacl -x g:mail:rw file 441.Pp 442Remove the group mail POSIX.1e ACL entry containing read/write permissions 443from 444.Pa file . 445.Pp 446.Dl setfacl -x0 file 447.Pp 448Remove the first entry from the NFSv4 ACL from 449.Pa file . 450.Pp 451.Dl setfacl -bn file 452.Pp 453Remove all 454.Dq Li access 455ACL entries except for the three required from 456.Pa file . 457.Pp 458.Dl getfacl file1 | setfacl -b -n -M - file2 459.Pp 460Copy ACL entries from 461.Pa file1 462to 463.Pa file2 . 464.Sh SEE ALSO 465.Xr getfacl 1 , 466.Xr acl 3 , 467.Xr getextattr 8 , 468.Xr setextattr 8 , 469.Xr acl 9 , 470.Xr extattr 9 471.Sh STANDARDS 472The 473.Nm 474utility is expected to be 475.Tn IEEE 476Std 1003.2c compliant. 477.Sh HISTORY 478Extended Attribute and Access Control List support was developed 479as part of the 480.Tn TrustedBSD 481Project and introduced in 482.Fx 5.0 . 483NFSv4 ACL support was introduced in 484.Fx 8.1 . 485.Sh AUTHORS 486.An -nosplit 487The 488.Nm 489utility was written by 490.An Chris D. Faulhaber Aq Mt jedgar@fxp.org . 491NFSv4 ACL support was implemented by 492.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org . 493