1.\" 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE VOICES IN HIS HEAD BE 18.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24.\" POSSIBILITY OF SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd January 7, 2001 29.Dt SETFACL 1 30.Os 31.Sh NAME 32.Nm setfacl 33.Nd set ACL information 34.Sh SYNOPSIS 35.Nm 36.Op Fl bdhkn 37.Op Fl m Ar entries 38.Op Fl M Ar file1 39.Op Fl x Ar entries 40.Op Fl X Ar file1 41.Op Ar 42.Sh DESCRIPTION 43The 44.Nm 45utility sets discretionary access control information on 46the specified file(s). 47.Pp 48The following options are available: 49.Bl -tag -width indent 50.It Fl b 51Remove all ACL entries except for the three required entries. 52If the ACL contains a 53.Dq Li mask 54entry, the permissions of the 55.Dq Li group 56entry in the resulting ACL will be set to the permission 57associated with both the 58.Dq Li group 59and 60.Dq Li mask 61entries of the current ACL. 62.It Fl d 63The operations apply to the default ACL entries instead of 64access ACL entries. Currently only directories may have 65default ACL's. 66.It Fl h 67If the target of the operation is a symbolic link, perform the operation 68on the symbolic link itself, rather than following the link. 69.It Fl k 70Delete any default ACL entries on the specified files. It 71is not considered an error if the specified files do not have 72any default ACL entries. An error will be reported if any of 73the specified files cannot have a default entry (i.e.\& 74non-directories). 75.It Fl m Ar entries 76Modify the ACL entries on the specified files by adding new 77entries and modifying existing ACL entries with the ACL entries 78specified in 79.Ar entries . 80.It Fl M Ar file 81Modify the ACL entries on the specified files by adding new 82ACL entries and modifying existing ACL entries with the ACL 83entries specified in the file 84.Ar file . 85If 86.Ar file 87is 88.Fl , 89the input is taken from stdin. 90.It Fl n 91Do not recalculate the permissions associated with the ACL 92mask entry. 93.It Fl x Ar entries 94Remove the ACL entries specified in 95.Ar entries 96from the access or default ACL of the specified files. 97.It Fl X Ar file 98Remove the ACL entries specified in the file 99.Ar file 100from the access or default ACL of the specified files. 101.El 102.Pp 103The above options are evaluated in the order specified 104on the command-line. 105.Sh ACL ENTRIES 106An ACL entry contains three colon-separated fields: 107an ACL tag, an ACL qualifier, and discretionary access 108permissions: 109.Bl -tag -width indent 110.It Ar "ACL tag" 111The ACL tag specifies the ACL entry type and consists of 112one of the following: 113.Dq Li user 114or 115.Ql u 116specifying the access 117granted to the owner of the file or a specified user; 118.Dq Li group 119or 120.Ql g 121specifying the access granted to the file owning group 122or a specified group; 123.Dq Li other 124or 125.Ql o 126specifying the access 127granted to any process that does not match any user or group 128ACL entry; 129.Dq Li mask 130or 131.Ql m 132specifying the maximum access 133granted to any ACL entry except the 134.Dq Li user 135ACL entry for the file owner and the 136.Dq Li other 137ACL entry. 138.It Ar "ACL qualifier" 139The ACL qualifier field describes the user or group associated with 140the ACL entry. It may consist of one of the following: uid or 141user name, gid or group name, or empty. For 142.Dq Li user 143ACL entries, an empty field specifies access granted to the 144file owner. For 145.Dq Li group 146ACL entries, an empty field specifies access granted to the 147file owning group. 148.Dq Li mask 149and 150.Dq Li other 151ACL entries do not use this field. 152.It Ar "access permissions" 153The access permissions field contains up to one of each of 154the following: 155.Ql r , 156.Ql w , 157and 158.Ql x 159to set read, write, and 160execute permissions, respectively. Each of these may be excluded 161or replaced with a 162.Ql - 163character to indicate no access. 164.El 165.Pp 166A 167.Dq Li mask 168ACL entry is required on a file with any ACL entries other than 169the default 170.Dq Li user , 171.Dq Li group , 172and 173.Dq Li other 174ACL entries. If the 175.Fl n 176option is not specified and no 177.Dq Li mask 178ACL entry was specified, the 179.Nm 180utility 181will apply a 182.Dq Li mask 183ACL entry consisting of the union of the permissions associated 184with all 185.Dq Li group 186ACL entries in the resulting ACL. 187.Pp 188Traditional POSIX interfaces acting on file system object modes have 189modified semantics in the presence of POSIX.1e extended ACLs. 190When a mask entry is present on the access ACL of an object, the mask 191entry is substituted for the group bits; this occurs in programs such 192as 193.Xr stat 1 194or 195.Xr ls 1 . 196When the mode is modified on an object that has a mask entry, the 197changes applied to the group bits will actually be applied to the 198mask entry. 199These semantics provide for greater application compatibility: 200applications modifying the mode instead of the ACL will see 201conservative behavior, limiting the effective rights granted by all 202of the additional user and group entries; this occurs in programs 203such as 204.Xr chmod 1 . 205.Pp 206ACL entries applied from a file using the 207.Fl M 208or 209.Fl X 210options shall be of the following form: one ACL entry per line, as 211previously specified; whitespace is ignored; any text after a 212.Ql # 213is ignored (comments). 214.Pp 215When ACL entries are evaluated, the access check algorithm checks 216the ACL entries in the following order: file owner, 217.Dq Li user 218ACL entries, file owning group, 219.Dq Li group 220ACL entries, and 221.Dq Li other 222ACL entry. 223.Pp 224Multiple ACL entries specified on the command line are 225separated by commas. 226.Sh DIAGNOSTICS 227.Ex -std 228.Sh EXAMPLES 229.Dl setfacl -m u::rwx,g:mail:rw file 230.Pp 231Sets read, write, and execute permissions for the 232.Pa file 233owner's ACL entry and read and write permissions for group mail on 234.Pa file . 235.Pp 236.Dl setfacl -M file1 file2 237.Pp 238Sets/updates the ACL entries contained in 239.Pa file1 240on 241.Pa file2 . 242.Pp 243.Dl setfacl -x g:mail:rw file 244.Pp 245Remove the group mail ACL entry containing read/write permissions 246from 247.Pa file. 248.Pp 249.Dl setfacl -bn file 250.Pp 251Remove all 252.Dq Li access 253ACL entries except for the three required from 254.Pa file . 255.Pp 256.Dl getfacl file1 | setfacl -b -n -M - file2 257.Pp 258Copy ACL entries from 259.Pa file1 260to 261.Pa file2 . 262.Sh SEE ALSO 263.Xr getfacl 1 , 264.Xr acl 3 , 265.Xr getextattr 8 , 266.Xr setextattr 8 , 267.Xr acl 9 , 268.Xr extattr 9 269.Sh STANDARDS 270The 271.Nm 272utility is expected to be 273.Tn IEEE 274Std 1003.2c compliant. 275.Sh HISTORY 276Extended Attribute and Access Control List support was developed 277as part of the 278.Tn TrustedBSD 279Project and introduced in 280.Fx 5.0 . 281.Sh AUTHORS 282The 283.Nm 284utility was written by 285.An Chris D. Faulhaber Aq jedgar@fxp.org . 286