1.\"- 2.\" Copyright (c) 2001 Chris D. Faulhaber 3.\" Copyright (c) 2011 Edward Tomasz Napierała 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.Dd January 23, 2016 30.Dt SETFACL 1 31.Os 32.Sh NAME 33.Nm setfacl 34.Nd set ACL information 35.Sh SYNOPSIS 36.Nm 37.Op Fl bdhkn 38.Op Fl a Ar position entries 39.Op Fl m Ar entries 40.Op Fl M Ar file 41.Op Fl x Ar entries | position 42.Op Fl X Ar file 43.Op Ar 44.Sh DESCRIPTION 45The 46.Nm 47utility sets discretionary access control information on 48the specified file(s). 49If no files are specified, or the list consists of the only 50.Sq Fl , 51the file names are taken from the standard input. 52.Pp 53The following options are available: 54.Bl -tag -width indent 55.It Fl a Ar position entries 56Modify the ACL on the specified files by inserting new 57ACL entries 58specified in 59.Ar entries , 60starting at position 61.Ar position , 62counting from zero. 63This option is only applicable to NFSv4 ACLs. 64.It Fl b 65Remove all ACL entries except for the ones synthesized 66from the file mode - the three mandatory entries in case 67of POSIX.1e ACL. 68If the POSIX.1e ACL contains a 69.Dq Li mask 70entry, the permissions of the 71.Dq Li group 72entry in the resulting ACL will be set to the permission 73associated with both the 74.Dq Li group 75and 76.Dq Li mask 77entries of the current ACL. 78.It Fl d 79The operations apply to the default ACL entries instead of 80access ACL entries. 81Currently only directories may have 82default ACL's. This option is not applicable to NFSv4 ACLs. 83.It Fl h 84If the target of the operation is a symbolic link, perform the operation 85on the symbolic link itself, rather than following the link. 86.It Fl k 87Delete any default ACL entries on the specified files. 88It 89is not considered an error if the specified files do not have 90any default ACL entries. 91An error will be reported if any of 92the specified files cannot have a default entry (i.e.\& 93non-directories). This option is not applicable to NFSv4 ACLs. 94.It Fl m Ar entries 95Modify the ACL on the specified file. 96New entries will be added, and existing entries will be modified 97according to the 98.Ar entries 99argument. 100For NFSv4 ACLs, it is recommended to use the 101.Fl a 102and 103.Fl x 104options instead. 105.It Fl M Ar file 106Modify the ACL entries on the specified files by adding new 107ACL entries and modifying existing ACL entries with the ACL 108entries specified in the file 109.Ar file . 110If 111.Ar file 112is 113.Fl , 114the input is taken from stdin. 115.It Fl n 116Do not recalculate the permissions associated with the ACL 117mask entry. 118This option is not applicable to NFSv4 ACLs. 119.It Fl x Ar entries | position 120If 121.Ar entries 122is specified, remove the ACL entries specified there 123from the access or default ACL of the specified files. 124Otherwise, remove entry at index 125.Ar position , 126counting from zero. 127.It Fl X Ar file 128Remove the ACL entries specified in the file 129.Ar file 130from the access or default ACL of the specified files. 131.El 132.Pp 133The above options are evaluated in the order specified 134on the command-line. 135.Sh POSIX.1e ACL ENTRIES 136A POSIX.1E ACL entry contains three colon-separated fields: 137an ACL tag, an ACL qualifier, and discretionary access 138permissions: 139.Bl -tag -width indent 140.It Ar "ACL tag" 141The ACL tag specifies the ACL entry type and consists of 142one of the following: 143.Dq Li user 144or 145.Ql u 146specifying the access 147granted to the owner of the file or a specified user; 148.Dq Li group 149or 150.Ql g 151specifying the access granted to the file owning group 152or a specified group; 153.Dq Li other 154or 155.Ql o 156specifying the access 157granted to any process that does not match any user or group 158ACL entry; 159.Dq Li mask 160or 161.Ql m 162specifying the maximum access 163granted to any ACL entry except the 164.Dq Li user 165ACL entry for the file owner and the 166.Dq Li other 167ACL entry. 168.It Ar "ACL qualifier" 169The ACL qualifier field describes the user or group associated with 170the ACL entry. 171It may consist of one of the following: uid or 172user name, gid or group name, or empty. 173For 174.Dq Li user 175ACL entries, an empty field specifies access granted to the 176file owner. 177For 178.Dq Li group 179ACL entries, an empty field specifies access granted to the 180file owning group. 181.Dq Li mask 182and 183.Dq Li other 184ACL entries do not use this field. 185.It Ar "access permissions" 186The access permissions field contains up to one of each of 187the following: 188.Ql r , 189.Ql w , 190and 191.Ql x 192to set read, write, and 193execute permissions, respectively. 194Each of these may be excluded 195or replaced with a 196.Ql - 197character to indicate no access. 198.El 199.Pp 200A 201.Dq Li mask 202ACL entry is required on a file with any ACL entries other than 203the default 204.Dq Li user , 205.Dq Li group , 206and 207.Dq Li other 208ACL entries. 209If the 210.Fl n 211option is not specified and no 212.Dq Li mask 213ACL entry was specified, the 214.Nm 215utility 216will apply a 217.Dq Li mask 218ACL entry consisting of the union of the permissions associated 219with all 220.Dq Li group 221ACL entries in the resulting ACL. 222.Pp 223Traditional POSIX interfaces acting on file system object modes have 224modified semantics in the presence of POSIX.1e extended ACLs. 225When a mask entry is present on the access ACL of an object, the mask 226entry is substituted for the group bits; this occurs in programs such 227as 228.Xr stat 1 229or 230.Xr ls 1 . 231When the mode is modified on an object that has a mask entry, the 232changes applied to the group bits will actually be applied to the 233mask entry. 234These semantics provide for greater application compatibility: 235applications modifying the mode instead of the ACL will see 236conservative behavior, limiting the effective rights granted by all 237of the additional user and group entries; this occurs in programs 238such as 239.Xr chmod 1 . 240.Pp 241ACL entries applied from a file using the 242.Fl M 243or 244.Fl X 245options shall be of the following form: one ACL entry per line, as 246previously specified; whitespace is ignored; any text after a 247.Ql # 248is ignored (comments). 249.Pp 250When POSIX.1e ACL entries are evaluated, the access check algorithm checks 251the ACL entries in the following order: file owner, 252.Dq Li user 253ACL entries, file owning group, 254.Dq Li group 255ACL entries, and 256.Dq Li other 257ACL entry. 258.Pp 259Multiple ACL entries specified on the command line are 260separated by commas. 261.Pp 262It is possible for files and directories to inherit ACL entries from their 263parent directory. 264This is accomplished through the use of the default ACL. 265It should be noted that before you can specify a default ACL, the mandatory 266ACL entries for user, group, other and mask must be set. 267For more details see the examples below. 268Default ACLs can be created by using 269.Fl d . 270.Sh NFSv4 ACL ENTRIES 271An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, 272an ACL qualifier (only for 273.Dq Li user 274and 275.Dq Li group 276tags), discretionary access permissions, ACL inheritance flags, and ACL type: 277.Bl -tag -width indent 278.It Ar "ACL tag" 279The ACL tag specifies the ACL entry type and consists of 280one of the following: 281.Dq Li user 282or 283.Ql u 284specifying the access 285granted to the specified user; 286.Dq Li group 287or 288.Ql g 289specifying the access granted to the specified group; 290.Dq Li owner@ 291specifying the access granted to the owner of the file; 292.Dq Li group@ 293specifying the access granted to the file owning group; 294.Dq Li everyone@ 295specifying everyone. 296Note that 297.Dq Li everyone@ 298is not the same as traditional Unix 299.Dq Li other 300- it means, 301literally, everyone, including file owner and owning group. 302.It Ar "ACL qualifier" 303The ACL qualifier field describes the user or group associated with 304the ACL entry. 305It may consist of one of the following: uid or 306user name, or gid or group name. 307In entries whose tag type is one of 308.Dq Li owner@ , 309.Dq Li group@ , 310or 311.Dq Li everyone@ , 312this field is omitted altogether, including the trailing comma. 313.It Ar "access permissions" 314Access permissions may be specified in either short or long form. 315Short and long forms may not be mixed. 316Permissions in long form are separated by the 317.Ql / 318character; in short form, they are concatenated together. 319Valid permissions are: 320.Bl -tag -width ".Dv modify_set" 321.It Short 322Long 323.It r 324read_data 325.It w 326write_data 327.It x 328execute 329.It p 330append_data 331.It D 332delete_child 333.It d 334delete 335.It a 336read_attributes 337.It A 338write_attributes 339.It R 340read_xattr 341.It W 342write_xattr 343.It c 344read_acl 345.It C 346write_acl 347.It o 348write_owner 349.It s 350synchronize 351.El 352.Pp 353In addition, the following permission sets may be used: 354.Bl -tag -width ".Dv modify_set" 355.It Set 356Permissions 357.It full_set 358all permissions, as shown above 359.It modify_set 360all permissions except write_acl and write_owner 361.It read_set 362read_data, read_attributes, read_xattr and read_acl 363.It write_set 364write_data, append_data, write_attributes and write_xattr 365.El 366.It Ar "ACL inheritance flags" 367Inheritance flags may be specified in either short or long form. 368Short and long forms may not be mixed. 369Access flags in long form are separated by the 370.Ql / 371character; in short form, they are concatenated together. 372Valid inheritance flags are: 373.Bl -tag -width ".Dv short" 374.It Short 375Long 376.It f 377file_inherit 378.It d 379dir_inherit 380.It i 381inherit_only 382.It n 383no_propagate 384.It I 385inherited 386.El 387.Pp 388Other than the "inherited" flag, inheritance flags may be only set on directories. 389.It Ar "ACL type" 390The ACL type field is either 391.Dq Li allow 392or 393.Dq Li deny . 394.El 395.Pp 396ACL entries applied from a file using the 397.Fl M 398or 399.Fl X 400options shall be of the following form: one ACL entry per line, as 401previously specified; whitespace is ignored; any text after a 402.Ql # 403is ignored (comments). 404.Pp 405NFSv4 ACL entries are evaluated in their visible order. 406.Pp 407Multiple ACL entries specified on the command line are 408separated by commas. 409.Pp 410Note that the file owner is always granted the read_acl, write_acl, 411read_attributes, and write_attributes permissions, even if the ACL 412would deny it. 413.Sh EXIT STATUS 414.Ex -std 415.Sh EXAMPLES 416.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir 417.Dl setfacl -d -m g:admins:rwx dir 418.Pp 419The first command sets the mandatory elements of the POSIX.1e default ACL. 420The second command specifies that users in group admins can have read, write, and execute 421permissions for directory named "dir". 422It should be noted that any files or directories created underneath "dir" will 423inherit these default ACLs upon creation. 424.Pp 425.Dl setfacl -m u::rwx,g:mail:rw file 426.Pp 427Sets read, write, and execute permissions for the 428.Pa file 429owner's POSIX.1e ACL entry and read and write permissions for group mail on 430.Pa file . 431.Pp 432.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file 433.Pp 434Semantically equal to the example above, but for NFSv4 ACL. 435.Pp 436.Dl setfacl -M file1 file2 437.Pp 438Sets/updates the ACL entries contained in 439.Pa file1 440on 441.Pa file2 . 442.Pp 443.Dl setfacl -x g:mail:rw file 444.Pp 445Remove the group mail POSIX.1e ACL entry containing read/write permissions 446from 447.Pa file . 448.Pp 449.Dl setfacl -x0 file 450.Pp 451Remove the first entry from the NFSv4 ACL from 452.Pa file . 453.Pp 454.Dl setfacl -bn file 455.Pp 456Remove all 457.Dq Li access 458ACL entries except for the three required from 459.Pa file . 460.Pp 461.Dl getfacl file1 | setfacl -b -n -M - file2 462.Pp 463Copy ACL entries from 464.Pa file1 465to 466.Pa file2 . 467.Sh SEE ALSO 468.Xr getfacl 1 , 469.Xr acl 3 , 470.Xr getextattr 8 , 471.Xr setextattr 8 , 472.Xr acl 9 , 473.Xr extattr 9 474.Sh STANDARDS 475The 476.Nm 477utility is expected to be 478.Tn IEEE 479Std 1003.2c compliant. 480.Sh HISTORY 481Extended Attribute and Access Control List support was developed 482as part of the 483.Tn TrustedBSD 484Project and introduced in 485.Fx 5.0 . 486NFSv4 ACL support was introduced in 487.Fx 8.1 . 488.Sh AUTHORS 489.An -nosplit 490The 491.Nm 492utility was written by 493.An Chris D. Faulhaber Aq Mt jedgar@fxp.org . 494NFSv4 ACL support was implemented by 495.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org . 496