xref: /freebsd/bin/setfacl/setfacl.1 (revision f5f7c05209ca2c3748fd8b27c5e80ffad49120eb)
1.\"-
2.\" Copyright (c) 2001 Chris D. Faulhaber
3.\" Copyright (c) 2011 Edward Tomasz Napierała
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd September 2, 2012
30.Dt SETFACL 1
31.Os
32.Sh NAME
33.Nm setfacl
34.Nd set ACL information
35.Sh SYNOPSIS
36.Nm
37.Op Fl bdhkn
38.Op Fl a Ar position entries
39.Op Fl m Ar entries
40.Op Fl M Ar file
41.Op Fl x Ar entries | position
42.Op Fl X Ar file
43.Op Ar
44.Sh DESCRIPTION
45The
46.Nm
47utility sets discretionary access control information on
48the specified file(s).
49If no files are specified, or the list consists of the only
50.Sq Fl ,
51the file names are taken from the standard input.
52.Pp
53The following options are available:
54.Bl -tag -width indent
55.It Fl a Ar position entries
56Modify the ACL on the specified files by inserting new
57ACL entries
58specified in
59.Ar entries ,
60starting at position
61.Ar position ,
62counting from zero.
63This option is only applicable to NFSv4 ACLs.
64.It Fl b
65Remove all ACL entries except for the three required entries
66(POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs).
67If the POSIX.1e ACL contains a
68.Dq Li mask
69entry, the permissions of the
70.Dq Li group
71entry in the resulting ACL will be set to the permission
72associated with both the
73.Dq Li group
74and
75.Dq Li mask
76entries of the current ACL.
77.It Fl d
78The operations apply to the default ACL entries instead of
79access ACL entries.
80Currently only directories may have
81default ACL's.  This option is not applicable to NFSv4 ACLs.
82.It Fl h
83If the target of the operation is a symbolic link, perform the operation
84on the symbolic link itself, rather than following the link.
85.It Fl k
86Delete any default ACL entries on the specified files.
87It
88is not considered an error if the specified files do not have
89any default ACL entries.
90An error will be reported if any of
91the specified files cannot have a default entry (i.e.\&
92non-directories).  This option is not applicable to NFSv4 ACLs.
93.It Fl m Ar entries
94Modify the ACL entries on the specified files by adding new
95entries and modifying existing ACL entries with the ACL entries
96specified in
97.Ar entries .
98.It Fl M Ar file
99Modify the ACL entries on the specified files by adding new
100ACL entries and modifying existing ACL entries with the ACL
101entries specified in the file
102.Ar file .
103If
104.Ar file
105is
106.Fl ,
107the input is taken from stdin.
108.It Fl n
109Do not recalculate the permissions associated with the ACL
110mask entry.  This option is not applicable to NFSv4 ACLs.
111.It Fl x Ar entries | position
112If
113.Ar entries
114is specified, remove the ACL entries specified there
115from the access or default ACL of the specified files.
116Otherwise, remove entry at index
117.Ar position ,
118counting from zero.
119.It Fl X Ar file
120Remove the ACL entries specified in the file
121.Ar file
122from the access or default ACL of the specified files.
123.El
124.Pp
125The above options are evaluated in the order specified
126on the command-line.
127.Sh POSIX.1e ACL ENTRIES
128A POSIX.1E ACL entry contains three colon-separated fields:
129an ACL tag, an ACL qualifier, and discretionary access
130permissions:
131.Bl -tag -width indent
132.It Ar "ACL tag"
133The ACL tag specifies the ACL entry type and consists of
134one of the following:
135.Dq Li user
136or
137.Ql u
138specifying the access
139granted to the owner of the file or a specified user;
140.Dq Li group
141or
142.Ql g
143specifying the access granted to the file owning group
144or a specified group;
145.Dq Li other
146or
147.Ql o
148specifying the access
149granted to any process that does not match any user or group
150ACL entry;
151.Dq Li mask
152or
153.Ql m
154specifying the maximum access
155granted to any ACL entry except the
156.Dq Li user
157ACL entry for the file owner and the
158.Dq Li other
159ACL entry.
160.It Ar "ACL qualifier"
161The ACL qualifier field describes the user or group associated with
162the ACL entry.
163It may consist of one of the following: uid or
164user name, gid or group name, or empty.
165For
166.Dq Li user
167ACL entries, an empty field specifies access granted to the
168file owner.
169For
170.Dq Li group
171ACL entries, an empty field specifies access granted to the
172file owning group.
173.Dq Li mask
174and
175.Dq Li other
176ACL entries do not use this field.
177.It Ar "access permissions"
178The access permissions field contains up to one of each of
179the following:
180.Ql r ,
181.Ql w ,
182and
183.Ql x
184to set read, write, and
185execute permissions, respectively.
186Each of these may be excluded
187or replaced with a
188.Ql -
189character to indicate no access.
190.El
191.Pp
192A
193.Dq Li mask
194ACL entry is required on a file with any ACL entries other than
195the default
196.Dq Li user ,
197.Dq Li group ,
198and
199.Dq Li other
200ACL entries.
201If the
202.Fl n
203option is not specified and no
204.Dq Li mask
205ACL entry was specified, the
206.Nm
207utility
208will apply a
209.Dq Li mask
210ACL entry consisting of the union of the permissions associated
211with all
212.Dq Li group
213ACL entries in the resulting ACL.
214.Pp
215Traditional POSIX interfaces acting on file system object modes have
216modified semantics in the presence of POSIX.1e extended ACLs.
217When a mask entry is present on the access ACL of an object, the mask
218entry is substituted for the group bits; this occurs in programs such
219as
220.Xr stat 1
221or
222.Xr ls 1 .
223When the mode is modified on an object that has a mask entry, the
224changes applied to the group bits will actually be applied to the
225mask entry.
226These semantics provide for greater application compatibility:
227applications modifying the mode instead of the ACL will see
228conservative behavior, limiting the effective rights granted by all
229of the additional user and group entries; this occurs in programs
230such as
231.Xr chmod 1 .
232.Pp
233ACL entries applied from a file using the
234.Fl M
235or
236.Fl X
237options shall be of the following form: one ACL entry per line, as
238previously specified; whitespace is ignored; any text after a
239.Ql #
240is ignored (comments).
241.Pp
242When POSIX.1e ACL entries are evaluated, the access check algorithm checks
243the ACL entries in the following order: file owner,
244.Dq Li user
245ACL entries, file owning group,
246.Dq Li group
247ACL entries, and
248.Dq Li other
249ACL entry.
250.Pp
251Multiple ACL entries specified on the command line are
252separated by commas.
253.Pp
254It is possible for files and directories to inherit ACL entries from their
255parent directory.
256This is accomplished through the use of the default ACL.
257It should be noted that before you can specify a default ACL, the mandatory
258ACL entries for user, group, other and mask must be set.
259For more details see the examples below.
260Default ACLs can be created by using
261.Fl d .
262.Sh NFSv4 ACL ENTRIES
263An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag,
264an ACL qualifier (only for
265.Dq Li user
266and
267.Dq Li group
268tags), discretionary access permissions, ACL inheritance flags, and ACL type:
269.Bl -tag -width indent
270.It Ar "ACL tag"
271The ACL tag specifies the ACL entry type and consists of
272one of the following:
273.Dq Li user
274or
275.Ql u
276specifying the access
277granted to the specified user;
278.Dq Li group
279or
280.Ql g
281specifying the access granted to the specified group;
282.Dq Li owner@
283specifying the access granted to the owner of the file;
284.Dq Li group@
285specifying the access granted to the file owning group;
286.Dq Li everyone@
287specifying everyone.  Note that
288.Dq Li everyone@
289is not the same as traditional Unix
290.Dq Li other
291- it means,
292literally, everyone, including file owner and owning group.
293.It Ar "ACL qualifier"
294The ACL qualifier field describes the user or group associated with
295the ACL entry.
296It may consist of one of the following: uid or
297user name, or gid or group name.  In entries whose tag type is
298one of
299.Dq Li owner@ ,
300.Dq Li group@ ,
301or
302.Dq Li everyone@ ,
303this field is omitted altogether, including the trailing comma.
304.It Ar "access permissions"
305Access permissions may be specified in either short or long form.
306Short and long forms may not be mixed.
307Permissions in long form are separated by the
308.Ql /
309character; in short form, they are concatenated together.
310Valid permissions are:
311.Bl -tag -width ".Dv modify_set"
312.It Short
313Long
314.It r
315read_data
316.It w
317write_data
318.It x
319execute
320.It p
321append_data
322.It d
323delete_child
324.It D
325delete
326.It a
327read_attributes
328.It A
329write_attributes
330.It R
331read_xattr
332.It W
333write_xattr
334.It c
335read_acl
336.It C
337write_acl
338.It o
339write_owner
340.It s
341synchronize
342.El
343.Pp
344In addition, the following permission sets may be used:
345.Bl -tag -width ".Dv modify_set"
346.It Set
347Permissions
348.It full_set
349all permissions, as shown above
350.It modify_set
351all permissions except write_acl and write_owner
352.It read_set
353read_data, read_attributes, read_xattr and read_acl
354.It write_set
355write_data, append_data, write_attributes and write_xattr
356.El
357.It Ar "ACL inheritance flags"
358Inheritance flags may be specified in either short or long form.
359Short and long forms may not be mixed.
360Access flags in long form are separated by the
361.Ql /
362character; in short form, they are concatenated together.
363Valid inheritance flags are:
364.Bl -tag -width ".Dv short"
365.It Short
366Long
367.It f
368file_inherit
369.It d
370dir_inherit
371.It i
372inherit_only
373.It n
374no_propagate
375.El
376.Pp
377Inheritance flags may be only set on directories.
378.It Ar "ACL type"
379The ACL type field is either
380.Dq Li allow
381or
382.Dq Li deny .
383.El
384.Pp
385ACL entries applied from a file using the
386.Fl M
387or
388.Fl X
389options shall be of the following form: one ACL entry per line, as
390previously specified; whitespace is ignored; any text after a
391.Ql #
392is ignored (comments).
393.Pp
394NFSv4 ACL entries are evaluated in their visible order.
395.Pp
396Multiple ACL entries specified on the command line are
397separated by commas.
398.Sh EXIT STATUS
399.Ex -std
400.Sh EXAMPLES
401.Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir
402.Dl setfacl -d -m g:admins:rwx dir
403.Pp
404The first command sets the mandatory elements of the POSIX.1e default ACL.
405The second command specifies that users in group admins can have read, write, and execute
406permissions for directory named "dir".
407It should be noted that any files or directories created underneath "dir" will
408inherit these default ACLs upon creation.
409.Pp
410.Dl setfacl -m u::rwx,g:mail:rw file
411.Pp
412Sets read, write, and execute permissions for the
413.Pa file
414owner's POSIX.1e ACL entry and read and write permissions for group mail on
415.Pa file .
416.Pp
417.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file
418.Pp
419Semantically equal to the example above, but for NFSv4 ACL.
420.Pp
421.Dl setfacl -M file1 file2
422.Pp
423Sets/updates the ACL entries contained in
424.Pa file1
425on
426.Pa file2 .
427.Pp
428.Dl setfacl -x g:mail:rw file
429.Pp
430Remove the group mail POSIX.1e ACL entry containing read/write permissions
431from
432.Pa file .
433.Pp
434.Dl setfacl -x0 file
435.Pp
436Remove the first entry from the NFSv4 ACL from
437.Pa file .
438.Pp
439.Dl setfacl -bn file
440.Pp
441Remove all
442.Dq Li access
443ACL entries except for the three required from
444.Pa file .
445.Pp
446.Dl getfacl file1 | setfacl -b -n -M - file2
447.Pp
448Copy ACL entries from
449.Pa file1
450to
451.Pa file2 .
452.Sh SEE ALSO
453.Xr getfacl 1 ,
454.Xr acl 3 ,
455.Xr getextattr 8 ,
456.Xr setextattr 8 ,
457.Xr acl 9 ,
458.Xr extattr 9
459.Sh STANDARDS
460The
461.Nm
462utility is expected to be
463.Tn IEEE
464Std 1003.2c compliant.
465.Sh HISTORY
466Extended Attribute and Access Control List support was developed
467as part of the
468.Tn TrustedBSD
469Project and introduced in
470.Fx 5.0 .
471NFSv4 ACL support was introduced in
472.Fx 8.1 .
473.Sh AUTHORS
474.An -nosplit
475The
476.Nm
477utility was written by
478.An Chris D. Faulhaber Aq jedgar@fxp.org .
479NFSv4 ACL support was implemented by
480.An Edward Tomasz Napierala Aq trasz@FreeBSD.org .
481